ckeditor xss
CKEditor 3.x had issues with XSS /security issues with on attributes. For example, you could trigger malicious code via an onerror attribute -- ouch! Of course the problem has been fixed in CKEditor 4 but upgrading can be an issue if you have custom plugins. Here's how the issue can be solved!
CKEditor 3.x的XSS / security问题与on属性有关。 例如,您可以通过onerror属性触发恶意代码-哎呀! 当然,该问题已在CKEditor 4中解决,但如果您具有自定义插件,则升级可能会成为问题。 这是解决问题的方法!
We'll use prototype monkey-patching to accomplish this security fix:
我们将使用原型猴子补丁来完成此安全修复程序:
// Prevent bad on* attributes (https://github.com/ckeditor/ckeditor-dev/commit/1b9a322) var oldHtmlDataProcessorProto = CKEDITOR.htmlDataProcessor.prototype.toHtml; CKEDITOR.htmlDataProcessor.prototype.toHtml = function(data, fixForBody) { function protectInsecureAttributes(html) { return html.replace( /([^a-z0-9)/gi, '$1data-cke-' + CKEDITOR.rnd + '-$2' ); } data = protectInsecureAttributes(data); data = oldHtmlDataProcessorProto.apply(this, arguments); data = data.replace( new RegExp( 'data-cke-' + CKEDITOR.rnd + '-', 'ig' ), '' ); return data; };The toHtml method of CKEDITOR.htmlDataProcessor is modified to remove the troublesome on attributes during HTML render within the editor, but the attributes are indeed kept within the editor contents value and will display when you switch CKEditor to source mode. Problem solved!
修改了CKEDITOR.htmlDataProcessor的toHtml方法,以消除在编辑器内进行HTML渲染期间出现麻烦on属性,但是这些属性确实保留在编辑器的内容值之内,并且在将CKEditor切换到源代码模式时将显示。 问题解决了!
翻译自: https://davidwalsh.name/prevent-xss-ckeditor
ckeditor xss
