Opened 16 years ago

Last modified 11 years ago

#344 closed defect

Rich Text Editor accepts any HTML or Scripts from clipboard, paste — at Version 12

Reported by: Jaepil Owned by: liucougar
Priority: high Milestone: 1.7
Component: Editor Version: 0.2
Keywords: Cc: [email protected]
Blocked By: Blocking:

Description (last modified by Adam Peller)

Rich Text Editor accepts any HTML or Scripts from clipboard. This is a security issue and breaks the whole concept of easy to use Rich Text editor.

There are two things that should be done.
1) Create onPaste event.
2) Filter the data before it gets pasted into the editor. Un-wanted tags and attributes must be striped, but the tag contents should remain as plain text.

Dojo tool users must be able to specify what tags and attributes are allowed.

If it's possible;

  • It should always strip <script> and well know script tags, such as <?php ?>.
  • Let users specify allowed attribute and value pairs. This will be useful for 'class' attributes.

Change History (12)

comment:1 Changed 16 years ago by [email protected]

I would have to disagree with this. Filtering should be done at the server layer, not the client layer. As a general rule you should never trust data sent from a client, always filter it regardless what client-side precautions have been taken.

comment:2 Changed 16 years ago by alex

Milestone: 0.3release
Owner: changed from anonymous to alex
Status: newassigned

comment:3 Changed 16 years ago by anonymous

I'd love to see this fixed, as it seems to be causing issues on an application I'm building. An example of the problem is pasting in content from a Microsoft Word document. It seems to add all sorts of wierd tags that firefox just doesn't understand and makes firefox display the content all wonky. I suspect that the html that is pasted in should be converted into legal html no matter what browser you view it in.

comment:4 Changed 16 years ago by alex

Milestone: 0.3release0.3.1

punting for lack of time before 0.3.0

comment:5 Changed 16 years ago by alex

Milestone: 0.3.10.4

As I dig into this, it's a significant feature addition (whitelist HTML parser state machine).

oof. more punting.

comment:6 Changed 16 years ago by guest

Cc: [email protected] added

comment:7 Changed 16 years ago by dylan

Owner: changed from alex to liucougar
Status: assignednew

cougar, please triage this if you have time... not sure if it is an issue with editor 2... if so, 0.4, 0.4.1, or 0.5?

comment:8 Changed 16 years ago by dylan

Milestone: 0.40.5

comment:9 Changed 16 years ago by dylan

Component: WidgetsEditor

comment:10 Changed 15 years ago by bill

Milestone: 0.91.1

Needs context menu support so we can intercept cut/paste requests rather than using the browser default handler.

comment:11 Changed 14 years ago by dylan

Milestone: 1.11.2

mass move of editor issues to 1.2.

comment:12 Changed 14 years ago by Adam Peller

Description: modified (diff)

related to #2140?

Note: See TracTickets for help on using tickets.