#344 closed defect (fixed)
Rich Text Editor accepts any HTML or Scripts from clipboard, paste
| Reported by: | Jaepil | Owned by: | Jared Jurkiewicz |
|---|---|---|---|
| Priority: | high | Milestone: | 1.7 |
| Component: | Editor | Version: | 0.2 |
| Keywords: | Cc: | scott.oreilly@… | |
| Blocked By: | Blocking: |
Description (last modified by )
Rich Text Editor accepts any HTML or Scripts from clipboard. This is a security issue and breaks the whole concept of easy to use Rich Text editor.
There are two things that should be done.
1) Create onPaste event.
2) Filter the data before it gets pasted into the editor. Un-wanted tags and attributes must be striped, but the tag contents should remain as plain text.
Dojo tool users must be able to specify what tags and attributes are allowed.
If it's possible;
- It should always strip <script> and well know script tags, such as <?php ?>.
- Let users specify allowed attribute and value pairs. This will be useful for 'class' attributes.
Attachments (2)
Change History (25)
comment:1 Changed 14 years ago by
comment:2 Changed 14 years ago by
| Milestone: | → 0.3release |
|---|---|
| Owner: | changed from anonymous to alex |
| Status: | new → assigned |
comment:3 Changed 14 years ago by
I'd love to see this fixed, as it seems to be causing issues on an application I'm building. An example of the problem is pasting in content from a Microsoft Word document. It seems to add all sorts of wierd tags that firefox just doesn't understand and makes firefox display the content all wonky. I suspect that the html that is pasted in should be converted into legal html no matter what browser you view it in.
comment:4 Changed 13 years ago by
| Milestone: | 0.3release → 0.3.1 |
|---|
punting for lack of time before 0.3.0
comment:5 Changed 13 years ago by
| Milestone: | 0.3.1 → 0.4 |
|---|
As I dig into this, it's a significant feature addition (whitelist HTML parser state machine).
oof. more punting.
comment:6 Changed 13 years ago by
| Cc: | scott.oreilly@… added |
|---|
comment:7 Changed 13 years ago by
| Owner: | changed from alex to liucougar |
|---|---|
| Status: | assigned → new |
cougar, please triage this if you have time... not sure if it is an issue with editor 2... if so, 0.4, 0.4.1, or 0.5?
comment:8 Changed 13 years ago by
| Milestone: | 0.4 → 0.5 |
|---|
comment:9 Changed 13 years ago by
| Component: | Widgets → Editor |
|---|
comment:10 Changed 12 years ago by
| Milestone: | 0.9 → 1.1 |
|---|
Needs context menu support so we can intercept cut/paste requests rather than using the browser default handler.
comment:13 Changed 11 years ago by
| Milestone: | 1.2 → future |
|---|
Unfortunately, doesn't look like this will be fixed anytime soon.
For now we just need to require the server to do filtering.
It's slightly related to #2140 but I don't consider it a duplicate. Consider a case where the user enters some text into an editor (including malicious script tags) and then sends it to the server. Then the server later embeds that rich text into a plain HTML page not even using the editor.
It would be nice for Editor on the client side to do filtering but that won't substitute for server side filtering.
Bumping this ticket until we have a volunteer to implement client side filtering.
comment:14 Changed 10 years ago by
| Owner: | liucougar deleted |
|---|
comment:15 Changed 9 years ago by
| Owner: | set to Jared Jurkiewicz |
|---|
Changed 9 years ago by
| Attachment: | dijit_344.patch added |
|---|
Modification to Editor to make over-riding of paste behavior possible.
Changed 9 years ago by
| Attachment: | dojox_344.patch added |
|---|
Addition of 'safe paste' plugin to DojoX, which makes use of PasteFromWord??? to over-ride the paste functions of Editor itself.
comment:16 Changed 9 years ago by
comment:17 Changed 9 years ago by
comment:18 Changed 9 years ago by
comment:19 Changed 8 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
comment:20 Changed 8 years ago by
comment:21 Changed 8 years ago by
comment:23 Changed 8 years ago by
| Milestone: | future → 1.7 |
|---|
I would have to disagree with this. Filtering should be done at the server layer, not the client layer. As a general rule you should never trust data sent from a client, always filter it regardless what client-side precautions have been taken.