Rich Text Editor accepts any HTML or Scripts from clipboard, paste

[Jaepil]

Rich Text Editor accepts any HTML or Scripts from clipboard. This is a security issue and breaks the whole concept of easy to use Rich Text editor.

There are two things that should be done.
1) Create onPaste event.
2) Filter the data before it gets pasted into the editor. Un-wanted tags and attributes must be striped, but the tag contents should remain as plain text.

Dojo tool users must be able to specify what tags and attributes are allowed.

If it's possible;

• It should always strip <script> and well know script tags, such as <?php ?>.
  
• Let users specify allowed attribute and value pairs. This will be useful for 'class' attributes.

[hippie@…]

I would have to disagree with this. Filtering should be done at the server layer, not the client layer. As a general rule you should never trust data sent from a client, always filter it regardless what client-side precautions have been taken.

[anonymous]

I'd love to see this fixed, as it seems to be causing issues on an application I'm building. An example of the problem is pasting in content from a Microsoft Word document. It seems to add all sorts of wierd tags that firefox just doesn't understand and makes firefox display the content all wonky. I suspect that the html that is pasted in should be converted into legal html no matter what browser you view it in.

[alex]

punting for lack of time before 0.3.0

[alex]

As I dig into this, it's a significant feature addition (whitelist HTML parser state machine).

oof. more punting.

[dylan]

cougar, please triage this if you have time... not sure if it is an issue with editor 2... if so, 0.4, 0.4.1, or 0.5?

[bill]

Needs context menu support so we can intercept cut/paste requests rather than using the browser default handler.

[dylan]

mass move of editor issues to 1.2.

[Adam Peller]

related to #2140?

[bill]

Unfortunately, doesn't look like this will be fixed anytime soon.

For now we just need to require the server to do filtering.

It's slightly related to #2140 but I don't consider it a duplicate. Consider a case where the user enters some text into an editor (including malicious script tags) and then sends it to the server. Then the server later embeds that rich text into a plain HTML page not even using the editor.

It would be nice for Editor on the client side to do filtering but that won't substitute for server side filtering.

Bumping this ticket until we have a volunteer to implement client side filtering.

[Jared Jurkiewicz]

Modification to Editor to make over-riding of paste behavior possible.

[Jared Jurkiewicz]

Addition of 'safe paste' plugin to DojoX, which makes use of PasteFromWord??? to over-ride the paste functions of Editor itself.

[Jared Jurkiewicz]

(In [24013]) Split out the clipboard commands to separate impls to allow for over-ride of behavior. Needed to implement a safe-paste type plugin. refs #344

[Jared Jurkiewicz]

(In [24014]) Initial pass at a 'safe paste' plugin. I would like to get rid of the dialog and will continue to investigate, but for now I want this in place as a starter. refs #344

[Jared Jurkiewicz]

(In [24015]) Initial pass at a 'safe paste' plugin. Added to the demo of editor. refs #344

[Jared Jurkiewicz]

(In [25071]) Add in optional user list tag stripping. fixes #344

[Jared Jurkiewicz]

(In [25072]) Add in optional user list tag stripping test. refs #344

[Jared Jurkiewicz]

(In [25073]) Create instance local copies of the regex list, so it can be updated without affecting all instances. refs #344

[Jared Jurkiewicz]

(In [25081]) Update README refs #344