override some CKEditor internals to invalide inline event handlers

pull/1/head
ansuz 5 years ago
parent c01cd42da2
commit c40eeff50f

@ -14,11 +14,11 @@ define(['jquery'], function ($) {
var $a = $('.cke_toolbox_main').find('.cke_button, .cke_combo_button');
$a.each(function (i, el) {
var $el = $(el);
$el.on('keydown blur focus click', function (e) {
$el.on('keydown blur focus click dragstart', function (e) {
e.preventDefault();
var attr = $(el).attr('on'+e.type);
var attr = $(el).attr('oon'+e.type);
if (!attr) { return; }
if (e.type === "blur") { return false; }
if (['blur', 'dragstart'].indexOf(e.type) !== -1) { return false; }
var reg = /CKEDITOR.tools.callFunction\(([0-9]+),(this|event)\);return false;/;
var m = attr.match(reg);
if (!m) { return; }
@ -88,7 +88,7 @@ define(['jquery'], function ($) {
}).contents().find('body').on('click dragstart mouseover mouseout', '.cke_button, a.cke_colormore, a.cke_colorbox, .cke_colorauto, .cke_combo_button, .cke_panel_listItem a, a.cke_menubutton', function (e) {
e.preventDefault();
if (e.type === 'dragstart') { return false; }
var attr = $(e.currentTarget).attr('on'+e.type);
var attr = $(e.currentTarget).attr('oon'+e.type);
if (!attr) { return; }
var reg = /CKEDITOR.tools.callFunction\(([0-9]+),'?([A-Za-z0-9 ?]+)'?(,'([A-Za-z0-9 ]+)')?\);/;
var match = attr.match(reg);

@ -980,6 +980,36 @@ define([
Ckeditor.plugins.addExternal('blockbase64', '/pad/', 'disable-base64.js');
Ckeditor.plugins.addExternal('comments', '/pad/', 'comment.js');
Ckeditor.plugins.addExternal('wordcount', '/pad/wordcount/', 'plugin.js');
/* CKEditor4 is, by default, incompatible with strong CSP settings due to the
way it loads a variety of resources and event handlers by injecting HTML
via the innerHTML API.
In most cases those handlers just call a function with an id, so there's no
strong case for why it should be done this way except that lots of code depends
on this behaviour. These handlers all stop working when we enable our default CSP,
but fortunately the code is simple enough that we can use regex to grab the id
from the inline code and call the relevant function directly, preserving the
intended behaviour while preventing malicious code injection.
Unfortunately, as long as the original code is still present the console
fills up with CSP warnings saying that inline scripts were blocked.
The code below overrides CKEditor's default `setHtml` method to include
a string.replace call which will rewrite various inline event handlers from
onevent to oonevent.. rendering them invalid as scripts and preventing
some needless noise from showing up in the console.
YAY!
*/
CKEDITOR.dom.element.prototype.setHtml = function(a){
if (/callFunction/.test(a)) {
a = a.replace(/on(mousedown|blur|keydown|focus|click|dragstart)/g, function (value) {
return 'o' + value;
});
}
return this.$.innerHTML=a;
};
module.ckeditor = editor = Ckeditor.replace('editor1', {
customConfig: '/customize/ckeditor-config.js',
});

Loading…
Cancel
Save