yakatz
commented
10 years ago That is how it is supposed to work. If you don't want it to do that, you need to implement a filter in your save method.
Open soaj1664 opened 10 years ago
yakatz
commented
10 years ago That is how it is supposed to work. If you don't want it to do that, you need to implement a filter in your save method.
jejacks0n
commented
10 years ago Hey @soaj1664, pretty much what Yahuda says. There's a filtering option that removes tags/attributes before sending to the server, but sanitizing on the server is pretty normal and expected. If I don't call it out specifically it's because the expectation was obvious to me, but I may need to update the readme.
soaj1664
commented
10 years ago Hi @yakatz and @jejacks0n
Sorry, I do not understand you because it does not make any sense to allow JavaScript URI and user has to implement own filter. It would be great if this option is provided by the WYSIWYG editor by default. TinyMCE does not allow JS URI while at the same time Jive also does not allow to inject JS URI.
yakatz
commented
10 years ago @soaj1664 The way I use the editor, I want people to be able to create javascript: URIs. We use this feature a lot on one project. For projects where I want to limit what the user can save, I use a whitelist of allowed tags since a malicious user could manipulate the posted JSON to contain anything whether the editor allows it or not.
Hi,
The editor is vulnerable to an XSS. The editor allows users to insert link and if instead of normal link, I input JavaScript URI
javascript:alert%28location%29then it works. The attacker can execute arbitrary code of his choice. Please fix this issue. Thanks!
Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.