Skip to content

Commit

Permalink
Merge branch 't/13393'
Browse files Browse the repository at this point in the history
  • Loading branch information
oleq committed Jun 15, 2015
2 parents 4734046 + af256bb commit bf64ed8
Show file tree
Hide file tree
Showing 6 changed files with 53 additions and 5 deletions.
6 changes: 2 additions & 4 deletions core/filter.js
Original file line number Diff line number Diff line change
Expand Up @@ -1779,10 +1779,8 @@
else
stripBlock( element, enterTag, toBeChecked );
}
// Special case - elements that may contain CDATA
// should be removed completely. <script> is handled
// by processProtectedElement().
else if ( name == 'style' )
// Special case - elements that may contain CDATA should be removed completely.
else if ( name in { style: 1, script: 1 } )
element.remove();
// The rest of inline elements. May also be the last resort
// for some special elements.
Expand Down
2 changes: 1 addition & 1 deletion core/htmldataprocessor.js
Original file line number Diff line number Diff line change
Expand Up @@ -869,7 +869,7 @@
var regexes = [
// Script tags will also be forced to be protected, otherwise
// IE will execute them.
( /<script[\s\S]*?<\/script>/gi ),
( /<script[\s\S]*?(<\/script>|$)/gi ),

// <noscript> tags (get lost in IE and messed up in FF).
/<noscript[\s\S]*?<\/noscript>/gi,
Expand Down
10 changes: 10 additions & 0 deletions tests/core/filter/filter.js
Original file line number Diff line number Diff line change
Expand Up @@ -745,6 +745,8 @@
'<p>X<!--{cke_protected}{C}%3C!%2D%2Dfoo%2D%2D%3E-->Y</p>', 'leave real comment' );
t( '<p>X<? echo 1; ?>Y</p>',
'<p>X<!--{cke_protected}%3C%3F%20echo%201%3B%20%3F%3E-->Y</p>', 'leave entire PHP code' );
t( '<script>alert(1);', '@', 'strip entire script (no closing)' );
t( '<script><iframe src="foo"></iframe>', '@', 'strip entire script (no closing, iframe inside)' );
},

'test leave protected elements': function() {
Expand All @@ -760,6 +762,14 @@
'<p>X<!--{cke_protected}%3C%3F%20echo%201%3B%20%3F%3E-->Y</p>', 'leave entire PHP code' );
},

// #13393
// The script's body may not be encoded if htmlDP was not used or if the encoding didn't work.
'test script removed completely when its body is not encoded': function() {
var filter = createFilter( 'p', false );

filter( '<p>X<script>alert(1);</scr' + 'ipt>X</p>', '<p>XX</p>', 'strip whole element' );
},

'test strip entire elements which may contain cdata': function() {
var t = createFilterTester( editors.themed );

Expand Down
16 changes: 16 additions & 0 deletions tests/core/htmldataprocessor.js
Original file line number Diff line number Diff line change
Expand Up @@ -754,6 +754,22 @@
bender.tools.fixHtml( dataP.toHtml( '<p><a data-href="x" href="#" src-foo="y">a</a></p>' ) ) );
},

// #13393
'test process malformed script': function() {
var dataP = this.editor.dataProcessor;

// What we check is that unclosed <script> tag will be protected.
assert.areSame( '<p>x</p><!--{cke_protected}%3Cscript%3E%3Ciframe%20src%3D%22foo%22%3E%3C%2Fiframe%3E-->',
dataP.toHtml( '<p>x</p><script><iframe src="foo"></iframe>' ) );
assert.areSame( '<p>x</p><!--{cke_protected}%3Cscript%3Ealert(1)%3B%3Cp%3Efoo%3C%2Fp%3E%3Cp%3Ebar%3C%2Fp%3E-->',
dataP.toHtml( '<p>x</p><script>alert(1);<p>foo</p><p>bar</p>' ) );
// Just to be sure that we don't swallow too much.
assert.areSame(
'<p>x</p><!--{cke_protected}%3Cscript%3Ealert(1)%3B%3C%2Fscript%3E-->' +
'<p>foo</p><!--{cke_protected}%3Cscript%3Ealert(2)%3B%3C%2Fscript%3E--><p>bar</p>',
dataP.toHtml( '<p>x</p><script>alert(1);</scr' + 'ipt><p>foo</p><script>alert(2);</scr' + 'ipt><p>bar</p>' ) );
},

'test toHtml event': function() {
var editor = this.editor,
calls = 0;
Expand Down
19 changes: 19 additions & 0 deletions tests/tickets/13393/1.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
<textarea id="editor1" cols="10" rows="10">
&lt;script><iframe src=javascript:alert(1)></iframe>
</textarea>

<textarea id="editor2" cols="10" rows="10">
&lt;script><iframe/src="javascript:alert(2)">
</textarea>

<textarea id="editor3" cols="10" rows="10">
&lt;script>alert(3);
</textarea>

<script>
CKEDITOR.replace( 'editor1' );
CKEDITOR.replace( 'editor2' );
CKEDITOR.replace( 'editor3', {
extraAllowedContent: 'script'
} );
</script>
5 changes: 5 additions & 0 deletions tests/tickets/13393/1.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
@bender-ui: collapsed
@bender-tags: htmldataprocessor, filter, tc, 4.4.8, 13393
@bender-ckeditor-plugins: wysiwygarea

No alerts should be opened.

0 comments on commit bf64ed8

Please sign in to comment.