CKEditor Integration
  1. CKEditor Integration
  2. CKEDITOR-133

Use of Greasemonkey in Firefox can interfere with CKEditor content

    Details

    • Type: Bug Bug
    • Status: Closed Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 1.10
    • Fix Version/s: 1.11
    • Labels:
      None
    • Similar issues:

      Description

      The popular Greasemonkey browser extension in FIrefox can inject <script> elements into the <body> of the CKEditor's IFRAME. These <script> elements' contents then get erroneously transformed into HTML-encoded markup that gets saved into the wiki page content.

      I was able to repro on Firefox/Greasemonkey using the following fabricated script:

      // ==UserScript==
      // @name         Example of Interfering With XWiki CKEditor
      // @namespace    http://tampermonkey.net/
      // @version      0.1
      // @description  example of interfering with XWiki CKEditor
      // @author       You
      // @include      *
      // @grant        none
      // ==/UserScript==
      
      (function() {
          'use strict';
      
          function injectFunctionIntoPage(f) {
              var script = document.createElement('script');
              script.appendChild(document.createTextNode(f));
              document.body.appendChild(script);
          }
      
          injectFunctionIntoPage('(function(){console.log("injected");})();');
      
      })();
      

      Repro:

      1. Install Greasemonkey for Firefox and add the above userscript to it.
      2. Open any XWiki CKEditor page.
      3. Switch to Source edit mode.
      4. Observe that part of the GM script gets injected as content into the editor.

      The same issue occurs if you just "Save" instead of switching to Source edit mode at step 3 above.

      Note that this issue does NOT repro on TamperMonkey/Chrome, evidently because GM runs in the context of each IFRAME on the page whereas TM only runs in the root <body>.

      My understanding is that it's not possible for a webpage to detect whether Greasemonkey is running – and this is by design.

      However, one possible reasonable fix may be to strip out any <script> elements present in the CKEditor WYSIWYG IFRAME before saving or going to Source view.

      This approach should work since a user would not normally be able to add an unencoded <script> tag to the WYSIWYG editor, and even in CKEditor's Source edit mode, typing in e.g. "<script>alert(1);</script>" gets transformed into "<script>alert(1);</script>" when you switch back to WYSIWYG mode.

      And in the case where you write something like

      {{html}}<script>alert(1);</script>{{/html}}

      in Source edit mode, that gets transformed into

      <!--{cke_protected}%3Cscript%3E%2F%2F%3C!%5BCDATA%5B%0Aalert(1)%3B%0A%2F%2F%5D%5D%3E%3C%2Fscript%3E-->

      ... so again, this is distinct from Greasemonkey's injection of unescaped <script> elements, and thus we should still be able to safely strip out unescaped <script> elements to handle this scenario.

      This would not mitigate the potential for other kinds of HTML elements to be injected into the IFRAME body, but in the case of Greasemonkey scripts, the injection of <script> tags are by far the most common scenario, so this proposed fix seems like an appropriate solution for the specific issue outlined above.

        Activity

        Hide
        Marius Dumitru Florea added a comment - - edited

        Joel Thornton thanks for reporting this issue, but you forgot to mention which version of CKEditor Integration you're using. Have you tried the latest version? I recently fixed a similar bug CKEDITOR-117.

        Show
        Marius Dumitru Florea added a comment - - edited Joel Thornton thanks for reporting this issue, but you forgot to mention which version of CKEditor Integration you're using. Have you tried the latest version? I recently fixed a similar bug CKEDITOR-117 .
        Hide
        Joel Thornton added a comment - - edited

        Hi Marius,

        I have version 1.10 of CKEditor Integration. When I type "CKEDITOR.version" in my browser console I get "4.6.0 DEV".

        If there's a newer version available I would be happy to try it out.

        Show
        Joel Thornton added a comment - - edited Hi Marius, I have version 1.10 of CKEditor Integration. When I type "CKEDITOR.version" in my browser console I get "4.6.0 DEV". If there's a newer version available I would be happy to try it out.
        Hide
        Marius Dumitru Florea added a comment -

        The version I was asking for is 1.10. Thanks

        Show
        Marius Dumitru Florea added a comment - The version I was asking for is 1.10. Thanks
        Hide
        Marius Dumitru Florea added a comment -

        We now filter the script tags from the saved content.

        Show
        Marius Dumitru Florea added a comment - We now filter the script tags from the saved content.

          People

          • Assignee:
            Marius Dumitru Florea
            Reporter:
            Joel Thornton
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:
              Date of First Response:

              Time Tracking

              Estimated:
              Original Estimate - Not Specified
              Not Specified
              Remaining:
              Remaining Estimate - 0 minutes
              0m
              Logged:
              Time Spent - 2 hours
              2h