- 🇫🇷France prudloff Lille
A potential solution would be to add a warning for text format when user uses configuration that is known to enable self-XSS.
Could this be covered by ✨ Provide warning when trying to use dangerous HTML markup Needs work ?
Moving information from https://security.drupal.org/node/177240 where it was determined that this can be handled in public.
There are some edge cases in the CKEditor 5 where it is possible to obfuscate JavaScript in attribute values in a way that prevents CKEditor 5 from detecting them as JavaScript. For example, if CKEditor 5 source editing has been configured to allow <iframe src>, it is possible to self-XSS with <iframe src="jav ascript:alert('XSS');"></iframe> through source editing.
This could be tricky to handle on the CKEditor 5 side. A potential solution would be to add a warning for text format when user uses configuration that is known to enable self-XSS.
Active
11.0 🔥
ckeditor5.module
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.
Makes Drupal easier to use. Preferred over UX, D7UX, etc.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
A potential solution would be to add a warning for text format when user uses configuration that is known to enable self-XSS.
Could this be covered by ✨ Provide warning when trying to use dangerous HTML markup Needs work ?