Closed Bellfalasch closed 6 years ago
Have you been allowed to paste scripts into HTML area???
Ai ai ai.... This is a massive security hole in XP! This must definetly NOT be allowed with CK.
My biggest question here is how this can be possible regardless of editor as we are using a back-end function to cleanup html to avoid this. Any comments @aro @GlennRicaud
You must find a different way to add scripts to pages
This has been allowed and working since 5.0 and everyone is using it. We can't stop allowing it without some kind of upgrade step / migration, at minimum wrap it in a script-macro or similar.
CKE keeps the script inclusion, but removes some important config that Hubspot needs from within the script.
At least we have identified a breaking change we need to do for 7.0 then
So what do we do here? Allow scripts for 6.15 and then forbid it in 7.0 and use migration script to extract scripts (where?) ?
Found that script on enonic.com, it fully looks like this: But yes, in the perfect world, this should have used a macro to wrap/protect the script.
<p style="text-align: center;"><strong></strong></p>
<!-- [if lte IE 8]>
<script charset="utf-8" type="text/javascript" src="//js.hsforms.net/forms/v2-legacy.js"></script>
<![endif]-->
<p>
<script charset="utf-8" type="text/javascript" src="//js.hsforms.net/forms/v2.js"></script>
<script>// <![CDATA[
hbspt.forms.create({
portalId: "3462655",
formId: "20ff7fa4-4940-4bbb-9f7a-06cc26ba9c33"
});
// ]]></script>
</p>
So, might be that it is not the <script>
itself but perhaps the emptiness of the <p>
that causes this? Not sure, but worth checking.
I agree with alan, allow for 6.15 and forbid in 7.0 - combined with upgrade script that will remove script tags from all htmlArea fields... Ok?
We need backlog tasks to clean this up in 7.0 so we don't forget!
I'm not ok with deleting any user input, actually. =P That would break many forms across our entire website, and that is just us, I can imagine tens of websites out there possibly also using the HtmlArea to add stuff they need, like scripts and whatnot. We need to properly take care of that in an upgrade, not deleting it. Could we break it out into TextArea blocks next to the HtmlArea and use a macro to fetch contents of these blocks?
To be honest I'm not sure why scripts are so dangerous. Only admins have access to these fields, and only high site privileges have access to HTML source. The few people that work in there do know what they're doing. I would argue the risks here are minimal. Basically any other system out there allows this type of input.
This will be done, and it will be documented thoroughly in the upgrade script.
Scripts are extremely dangerous as any editor on gjensidige for instance could add malware or cracking scripts on gjensidiges production site, potentially triggering transactions or other events in the name of other users. This is very very bad.
Enabled scripts in 6.15 and created a task for 7.0: https://github.com/enonic/lib-admin-ui/issues/683
The cleanup CKEditor (at least in Text Component) does is too strong. On Enonic.com we rely heavily on Hubspot and using it to generate forms. To embed these we add we paste some HTML into CKEditor source code. These worked in TinyMCE but after switch to CKEditor, editing any of these blocks of text will instantly remove that script snippet.
Original content JSON looks like so. See the script in one of the Text Component blocks on this page (the last component on the page).
After opening the text component for editing, the source will turn into this:
This removes the form we embedded.