#344 closed defect (fixed)
Rich Text Editor accepts any HTML or Scripts from clipboard, paste
Reported by: | Jaepil | Owned by: | Jared Jurkiewicz |
---|---|---|---|
Priority: | high | Milestone: | 1.7 |
Component: | Editor | Version: | 0.2 |
Keywords: | Cc: | [email protected]… | |
Blocked By: | Blocking: |
Description (last modified by )
Rich Text Editor accepts any HTML or Scripts from clipboard. This is a security issue and breaks the whole concept of easy to use Rich Text editor.
There are two things that should be done.
1) Create onPaste event.
2) Filter the data before it gets pasted into the editor. Un-wanted tags and attributes must be striped, but the tag contents should remain as plain text.
Dojo tool users must be able to specify what tags and attributes are allowed.
If it's possible;
- It should always strip <script> and well know script tags, such as <?php ?>.
- Let users specify allowed attribute and value pairs. This will be useful for 'class' attributes.
Attachments (2)
Change History (25)
comment:1 Changed 15 years ago by
comment:2 Changed 15 years ago by
Milestone: | → 0.3release |
---|---|
Owner: | changed from anonymous to alex |
Status: | new → assigned |
comment:3 Changed 15 years ago by
I'd love to see this fixed, as it seems to be causing issues on an application I'm building. An example of the problem is pasting in content from a Microsoft Word document. It seems to add all sorts of wierd tags that firefox just doesn't understand and makes firefox display the content all wonky. I suspect that the html that is pasted in should be converted into legal html no matter what browser you view it in.
comment:4 Changed 15 years ago by
Milestone: | 0.3release → 0.3.1 |
---|
punting for lack of time before 0.3.0
comment:5 Changed 15 years ago by
Milestone: | 0.3.1 → 0.4 |
---|
As I dig into this, it's a significant feature addition (whitelist HTML parser state machine).
oof. more punting.
comment:6 Changed 15 years ago by
Cc: | [email protected]… added |
---|
comment:7 Changed 15 years ago by
Owner: | changed from alex to liucougar |
---|---|
Status: | assigned → new |
cougar, please triage this if you have time... not sure if it is an issue with editor 2... if so, 0.4, 0.4.1, or 0.5?
comment:8 Changed 15 years ago by
Milestone: | 0.4 → 0.5 |
---|
comment:9 Changed 15 years ago by
Component: | Widgets → Editor |
---|
comment:10 Changed 14 years ago by
Milestone: | 0.9 → 1.1 |
---|
Needs context menu support so we can intercept cut/paste requests rather than using the browser default handler.
comment:13 Changed 13 years ago by
Milestone: | 1.2 → future |
---|
Unfortunately, doesn't look like this will be fixed anytime soon.
For now we just need to require the server to do filtering.
It's slightly related to #2140 but I don't consider it a duplicate. Consider a case where the user enters some text into an editor (including malicious script tags) and then sends it to the server. Then the server later embeds that rich text into a plain HTML page not even using the editor.
It would be nice for Editor on the client side to do filtering but that won't substitute for server side filtering.
Bumping this ticket until we have a volunteer to implement client side filtering.
comment:14 Changed 12 years ago by
Owner: | liucougar deleted |
---|
comment:15 Changed 11 years ago by
Owner: | set to Jared Jurkiewicz |
---|
Changed 10 years ago by
Attachment: | dijit_344.patch added |
---|
Modification to Editor to make over-riding of paste behavior possible.
Changed 10 years ago by
Attachment: | dojox_344.patch added |
---|
Addition of 'safe paste' plugin to DojoX, which makes use of PasteFromWord??? to over-ride the paste functions of Editor itself.
comment:16 Changed 10 years ago by
comment:17 Changed 10 years ago by
comment:18 Changed 10 years ago by
comment:19 Changed 10 years ago by
Resolution: | → fixed |
---|---|
Status: | new → closed |
comment:20 Changed 10 years ago by
comment:21 Changed 10 years ago by
comment:23 Changed 10 years ago by
Milestone: | future → 1.7 |
---|
I would have to disagree with this. Filtering should be done at the server layer, not the client layer. As a general rule you should never trust data sent from a client, always filter it regardless what client-side precautions have been taken.