[wp-trac] [WordPress Trac] #27858: Bug HTML onmouseover and onmouseout
WordPress Trac
noreply at wordpress.org
Fri Aug 1 18:35:33 UTC 2014
#27858: Bug HTML onmouseover and onmouseout
--------------------------+-------------------------
Reporter: TTBoS | Owner:
Type: defect (bug) | Status: reopened
Priority: normal | Milestone: 4.0
Component: TinyMCE | Version: 3.9
Severity: normal | Resolution:
Keywords: | Focuses: javascript
--------------------------+-------------------------
Comment (by adamsilverstein):
Replying to [comment:17 azaozz]:
> > ...I added an onclick handler - I don't see it firing anywhere when
i'm in the editor.
>
> Generally all browsers disable links, forms and scripts in
contentEditable. However the `on*` attributes are not disabled. The above
patch prevents MCE from filtering only `onmouseover` and `onmouseout` for
images, perhaps test with: `<img src="x" onmouseover="alert('xss')">`
Ok, missed that - didn't look at the patch carefully enough. You are
correct, the action fires in the editor which isn't great - however
testing in 3.8 I see the same behavior so this isn't a regression and
seems much better that stripping the existing data. What do you think,
still worth the effort at the kludgy fix described above?
--
Ticket URL: <https://core.trac.wordpress.org/ticket/27858#comment:20>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list