Opened 14 years ago

Closed 8 years ago

Last modified 8 years ago

#344 closed defect (fixed)

Rich Text Editor accepts any HTML or Scripts from clipboard, paste

Reported by: Jaepil Owned by: Jared Jurkiewicz
Priority: high Milestone: 1.7
Component: Editor Version: 0.2
Keywords: Cc: scott.oreilly@…
Blocked By: Blocking:

Description (last modified by Adam Peller)

Rich Text Editor accepts any HTML or Scripts from clipboard. This is a security issue and breaks the whole concept of easy to use Rich Text editor.

There are two things that should be done.
1) Create onPaste event.
2) Filter the data before it gets pasted into the editor. Un-wanted tags and attributes must be striped, but the tag contents should remain as plain text.

Dojo tool users must be able to specify what tags and attributes are allowed.

If it's possible;

  • It should always strip <script> and well know script tags, such as <?php ?>.
  • Let users specify allowed attribute and value pairs. This will be useful for 'class' attributes.

Attachments (2)

dijit_344.patch (2.9 KB) - added by Jared Jurkiewicz 9 years ago.
Modification to Editor to make over-riding of paste behavior possible.
dojox_344.patch (14.5 KB) - added by Jared Jurkiewicz 9 years ago.
Addition of 'safe paste' plugin to DojoX, which makes use of PasteFromWord??? to over-ride the paste functions of Editor itself.

Download all attachments as: .zip

Change History (25)

comment:1 Changed 14 years ago by hippie@…

I would have to disagree with this. Filtering should be done at the server layer, not the client layer. As a general rule you should never trust data sent from a client, always filter it regardless what client-side precautions have been taken.

comment:2 Changed 14 years ago by alex

Milestone: 0.3release
Owner: changed from anonymous to alex
Status: newassigned

comment:3 Changed 14 years ago by anonymous

I'd love to see this fixed, as it seems to be causing issues on an application I'm building. An example of the problem is pasting in content from a Microsoft Word document. It seems to add all sorts of wierd tags that firefox just doesn't understand and makes firefox display the content all wonky. I suspect that the html that is pasted in should be converted into legal html no matter what browser you view it in.

comment:4 Changed 13 years ago by alex

Milestone: 0.3release0.3.1

punting for lack of time before 0.3.0

comment:5 Changed 13 years ago by alex

Milestone: 0.3.10.4

As I dig into this, it's a significant feature addition (whitelist HTML parser state machine).

oof. more punting.

comment:6 Changed 13 years ago by guest

Cc: scott.oreilly@… added

comment:7 Changed 13 years ago by dylan

Owner: changed from alex to liucougar
Status: assignednew

cougar, please triage this if you have time... not sure if it is an issue with editor 2... if so, 0.4, 0.4.1, or 0.5?

comment:8 Changed 13 years ago by dylan

Milestone: 0.40.5

comment:9 Changed 13 years ago by dylan

Component: WidgetsEditor

comment:10 Changed 12 years ago by bill

Milestone: 0.91.1

Needs context menu support so we can intercept cut/paste requests rather than using the browser default handler.

comment:11 Changed 12 years ago by dylan

Milestone: 1.11.2

mass move of editor issues to 1.2.

comment:12 Changed 11 years ago by Adam Peller

Description: modified (diff)

related to #2140?

comment:13 Changed 11 years ago by bill

Milestone: 1.2future

Unfortunately, doesn't look like this will be fixed anytime soon.

For now we just need to require the server to do filtering.

It's slightly related to #2140 but I don't consider it a duplicate. Consider a case where the user enters some text into an editor (including malicious script tags) and then sends it to the server. Then the server later embeds that rich text into a plain HTML page not even using the editor.

It would be nice for Editor on the client side to do filtering but that won't substitute for server side filtering.

Bumping this ticket until we have a volunteer to implement client side filtering.

comment:14 Changed 10 years ago by bill

Owner: liucougar deleted

comment:15 Changed 9 years ago by Douglas Hays

Owner: set to Jared Jurkiewicz

Changed 9 years ago by Jared Jurkiewicz

Attachment: dijit_344.patch added

Modification to Editor to make over-riding of paste behavior possible.

Changed 9 years ago by Jared Jurkiewicz

Attachment: dojox_344.patch added

Addition of 'safe paste' plugin to DojoX, which makes use of PasteFromWord??? to over-ride the paste functions of Editor itself.

comment:16 Changed 9 years ago by Jared Jurkiewicz

(In [24013]) Split out the clipboard commands to separate impls to allow for over-ride of behavior. Needed to implement a safe-paste type plugin. refs #344

comment:17 Changed 9 years ago by Jared Jurkiewicz

(In [24014]) Initial pass at a 'safe paste' plugin. I would like to get rid of the dialog and will continue to investigate, but for now I want this in place as a starter. refs #344

comment:18 Changed 9 years ago by Jared Jurkiewicz

(In [24015]) Initial pass at a 'safe paste' plugin. Added to the demo of editor. refs #344

comment:19 Changed 8 years ago by Jared Jurkiewicz

Resolution: fixed
Status: newclosed

(In [25071]) Add in optional user list tag stripping. fixes #344

comment:20 Changed 8 years ago by Jared Jurkiewicz

(In [25072]) Add in optional user list tag stripping test. refs #344

comment:21 Changed 8 years ago by Jared Jurkiewicz

(In [25073]) Create instance local copies of the regex list, so it can be updated without affecting all instances. refs #344

comment:22 Changed 8 years ago by Jared Jurkiewicz

(In [25081]) Update README refs #344

comment:23 Changed 8 years ago by bill

Milestone: future1.7
Note: See TracTickets for help on using tickets.