ckeditor xss
CKEditor 3.x had issues with XSS /security issues with on
attributes. For example, you could trigger malicious code via an onerror
attribute -- ouch! Of course the problem has been fixed in CKEditor 4 but upgrading can be an issue if you have custom plugins. Here's how the issue can be solved!
CKEditor 3.x的XSS / security问题与on
属性有关。 例如,您可以通过onerror
属性触发恶意代码-哎呀! 当然,该问题已在CKEditor 4中解决,但如果您具有自定义插件,则升级可能会成为问题。 这是解决问题的方法!
JavaScript (The JavaScript)
We'll use prototype monkey-patching to accomplish this security fix:
我们将使用原型猴子补丁来完成此安全修复程序:
// Prevent bad on* attributes (https://github.com/ckeditor/ckeditor-dev/commit/1b9a322)
var oldHtmlDataProcessorProto = CKEDITOR.htmlDataProcessor.prototype.toHtml;
CKEDITOR.htmlDataProcessor.prototype.toHtml = function(data, fixForBody) {
function protectInsecureAttributes(html) {
return html.replace( /([^a-z0-9)/gi, '$1data-cke-' + CKEDITOR.rnd + '-$2' );
}
data = protectInsecureAttributes(data);
data = oldHtmlDataProcessorProto.apply(this, arguments);
data = data.replace( new RegExp( 'data-cke-' + CKEDITOR.rnd + '-', 'ig' ), '' );
return data;
};
The toHtml
method of CKEDITOR.htmlDataProcessor
is modified to remove the troublesome on
attributes during HTML render within the editor, but the attributes are indeed kept within the editor contents value and will display when you switch CKEditor to source mode. Problem solved!
修改了CKEDITOR.htmlDataProcessor
的toHtml
方法,以消除在编辑器内进行HTML渲染期间出现麻烦on
属性,但是这些属性确实保留在编辑器的内容值之内,并且在将CKEditor切换到源代码模式时将显示。 问题解决了!
ckeditor xss