admin管理员组文章数量:1352266
CKEditor automatically removes style attribute and add xss attribute 'removed' like if I put a style attribute in a element:
<div class="text-center" style="text-align: center;">Test Heading</div>
After save I got the following output:
<div class="text-center" xss="removed">Test Heading</div>
My configuration is:
var toolbar_custom=[
{ name: 'document', items: [ 'Source' ] },
{ name: 'editing', items: [ 'Scayt' ] },
{ name: 'basicstyles', items: [ 'Bold', 'Italic', 'Underline', 'Strike', 'Subscript', 'Superscript', '-', 'RemoveFormat' ] },
{ name: 'paragraph', items: ['JustifyLeft', 'JustifyCenter', 'JustifyRight', 'JustifyBlock'] },
{ name: 'insert', items: [ 'Image', 'Flash', 'Table', 'HorizontalRule', 'Smiley', 'SpecialChar', 'PageBreak', 'Iframe' ] },
{ name: 'links', items: [ 'Link', 'Unlink', 'Anchor' ] },
{ name: 'styles', items: [ 'Styles', 'Format', 'Font', 'FontSize' ]}
];
jQuery(function(){
CKEDITOR.replace('template_editor_custom',{
uiColor:'#2778a7',
toolbar:toolbar_custom,
autoParagraph:false,
enterMode:CKEDITOR.ENTER_DIV,
allowedContent:true,
extraAllowedContent:'*{*}'
})
});
Html:
<textarea class="form-control textbox-style" id="template_editor_custom" name="page[content]" placeholder="Page content"><?php echo set_value('page[content]', $content); ?></textarea>
CKEditor automatically removes style attribute and add xss attribute 'removed' like if I put a style attribute in a element:
<div class="text-center" style="text-align: center;">Test Heading</div>
After save I got the following output:
<div class="text-center" xss="removed">Test Heading</div>
My configuration is:
var toolbar_custom=[
{ name: 'document', items: [ 'Source' ] },
{ name: 'editing', items: [ 'Scayt' ] },
{ name: 'basicstyles', items: [ 'Bold', 'Italic', 'Underline', 'Strike', 'Subscript', 'Superscript', '-', 'RemoveFormat' ] },
{ name: 'paragraph', items: ['JustifyLeft', 'JustifyCenter', 'JustifyRight', 'JustifyBlock'] },
{ name: 'insert', items: [ 'Image', 'Flash', 'Table', 'HorizontalRule', 'Smiley', 'SpecialChar', 'PageBreak', 'Iframe' ] },
{ name: 'links', items: [ 'Link', 'Unlink', 'Anchor' ] },
{ name: 'styles', items: [ 'Styles', 'Format', 'Font', 'FontSize' ]}
];
jQuery(function(){
CKEDITOR.replace('template_editor_custom',{
uiColor:'#2778a7',
toolbar:toolbar_custom,
autoParagraph:false,
enterMode:CKEDITOR.ENTER_DIV,
allowedContent:true,
extraAllowedContent:'*{*}'
})
});
Html:
<textarea class="form-control textbox-style" id="template_editor_custom" name="page[content]" placeholder="Page content"><?php echo set_value('page[content]', $content); ?></textarea>
4 Answers
Reset to default 6I'm using CKEditor in CodeIgniter
It's worked using 2nd argument of $this->input->post('filed_name', FALSE)
Input Text
<div style="background-color:#eee; padding:15px">
<span style="font-size:16px;"> <u>Friendly Reminder</u> </span>
</div>
Example 1
<?php
echo html_escape($this->input->post('template_editor_custom'));
?>
Output
<div xss=removed>
<span xss=removed> <u>Friendly Reminder</u> </span>
</div>
Example 2
<?php
echo html_escape($this->input->post('template_editor_custom', FALSE));
?>
Output
<div style="background-color:#eee; padding:15px">
<span style="font-size:16px;"> <u>Friendly Reminder</u> </span>
</div>
It's no an issue of CKEditor.
I suspect you are using CodeIgniter 2.x and you have enabled 'Global XSS Filtering'. You need to turn it off in you config file:
$config['global_xss_filtering'] = FALSE;
xss=removed is typical sanitizing method used in CodeIgniter.
I solve my problem by changing the core/Security.php file. Just go to _sanitize_naughty_html function and remove style tag from these two static array:
static $naughty_tags = array(
'alert', 'prompt', 'confirm', 'applet', 'audio', 'basefont', 'base', 'behavior', 'bgsound',
'blink', 'body', 'embed', 'expression', 'form', 'frameset', 'frame', 'head', 'html', 'ilayer',
'iframe', 'input', 'button', 'select', 'isindex', 'layer', 'link', 'meta', 'keygen', 'object',
'plaintext', 'style', 'script', 'textarea', 'title', 'math', 'video', 'svg', 'xml', 'xss'
);
static $evil_attributes = array(
'on\w+', 'style', 'xmlns', 'formaction', 'form', 'xlink:href', 'FSCommand', 'seekSegmentTime'
);
I solved the problem like this way without promising my entire site security. In future if you want to upgrade your CI version then after upgrading find these two array inside _sanitize_naughty_html function in Security.php and remove the style tag from these two list.
Thank You.
There is no any issue with CKEDITOR
Turn off from config file as below it will work
$config['global_xss_filtering'] = FALSE;
版权声明:本文标题:javascript - CKEditor automatically removes style attribute and add xss attribute 'Removed' - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1743897004a2557974.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论