i have recognized a major security issue. I am not sure if you are aware of the problem and if it's caused by your grails plugin or by the original ckeditor:
It seems that the ckeditor is creating a html page within a html page.
First of all, it's nice that someone can't hack some html code in the editor directly. Every html code is escaped. So far so good.
But what you can do, is load the page with the ckeditor, change the html code of the ckeditor's html page with i.e. firebug. Press save. You can basicaly paste every html page and it works.
So this would be perfekt for a cross-site script attack which i don't realy want on my page.
Is there any way to prevent this?
hello,
i have recognized a major security issue. I am not sure if you are aware of the problem and if it's caused by your grails plugin or by the original ckeditor:
It seems that the ckeditor is creating a html page within a html page. First of all, it's nice that someone can't hack some html code in the editor directly. Every html code is escaped. So far so good. But what you can do, is load the page with the ckeditor, change the html code of the ckeditor's html page with i.e. firebug. Press save. You can basicaly paste every html page and it works. So this would be perfekt for a cross-site script attack which i don't realy want on my page. Is there any way to prevent this?
best, bernhard