Possible venerability in WYSIWYG editor

> I just noticed a potential venerability in the WYSIWYG editor.
>
> This control allows users to create html, although the user is restricted
> from entering html directly (normally you have to use the buttons provided:
> bold, underlined, justified etc). However it seems that from within a web
> browser you can select a range of html from anywhere on a webpage and
> drag-n-drop the selected text into the WYSIWYG editor. Rather then
> converting this pasted content into plain text, the content is embedded
> directly as html!
>
> I tested this in both Firefox and IE.
>
> This potentially allows someone to insert javascript functions which might
> get saved and then rendered by the web application when you next display
> the data.
>
> I personally would like to see all text pasted into the control be
> converted into plain text (if this is possible), or at the very least make
> developers using this control aware of the potential for such an injection
> attack.
>
> Chris.
> --
> ----------------------
> Chris Bailey
> [hidden email]
>
>
>
> --
> You receive this message as a subscriber of the [hidden email] mailing list.
> To unsubscribe: mailto:[hidden email]
> For general help: mailto:[hidden email]?subject=help
> ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
>
>

> Hi Chris,
>
> I am not sure to follow: where is it that you would like the HTML to
> be embedded as text rather than HTML?
>
> Alex
>
> On 4/25/07, Chris Bailey <[hidden email]> wrote:
>> I just noticed a potential venerability in the WYSIWYG editor.
>>
>> This control allows users to create html, although the user is restricted
>> from entering html directly (normally you have to use the buttons
>> provided: bold, underlined, justified etc). However it seems that from
>> within a web browser you can select a range of html from anywhere on a
>> webpage and drag-n-drop the selected text into the WYSIWYG editor.
>> Rather then converting this pasted content into plain text, the content
>> is embedded directly as html!
>>
>> I tested this in both Firefox and IE.
>>
>> This potentially allows someone to insert javascript functions which
>> might get saved and then rendered by the web application when you next
>> display the data.
>>
>> I personally would like to see all text pasted into the control be
>> converted into plain text (if this is possible), or at the very least
>> make developers using this control aware of the potential for such an
>> injection attack.
>>
>> Chris.
>> --
>> ----------------------
>> Chris Bailey
>> [hidden email]
>>
>>
>>
>> --
>> You receive this message as a subscriber of the [hidden email]
>> mailing list. To unsubscribe: mailto:[hidden email]
>> For general help: mailto:[hidden email]?subject=help
>> ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
>>

> Hmm I'm not sure I explained myself very well then.
>
> The WYSIWYG essentially allows a user to author a piece of HTML much like
> they would do in a word document if they saved it as HTML.
>
> However the author is not exposed to the raw HTML as it's wrapped up behind
> the WYSIWYG interface.
>
> As a developer you might use the WYSIWYG editor to let users create small
> pieces of html which you would then save to a database and later, when
> requested, retrieve the html and display it (using a <xforms:output
> ref="myinstance/wysiwyg_generated_content" mediatype="text/html"/>). You
> would think that as the WYSIWYG control has been used to generate this
> content that it would only contain *safe* html to display.
> However I have noticed that you can drag *any* html into the WYSIWYG editor
> which can then be saved and would be rendered. I have produced a small SWF
> screen video to show this in action.
>
> The fix I believe is that when you paste content into the WYSIWYG editor
> that (if the editor could detect this CTRL+V action) the editor first
> strips all html tags from the clipboard (i.e. when in Word performing a
> Paste Special->Unformatted Text).
>
> I hope this makes things clearer.
>
> Chris.
>
>
> --On 25 April 2007 16:32 -0700 Alessandro Vernet <[hidden email]> wrote:
>
> > Hi Chris,
> >
> > I am not sure to follow: where is it that you would like the HTML to
> > be embedded as text rather than HTML?
> >
> > Alex
> >
> > On 4/25/07, Chris Bailey <[hidden email]> wrote:
> >> I just noticed a potential venerability in the WYSIWYG editor.
> >>
> >> This control allows users to create html, although the user is restricted
> >> from entering html directly (normally you have to use the buttons
> >> provided: bold, underlined, justified etc). However it seems that from
> >> within a web browser you can select a range of html from anywhere on a
> >> webpage and drag-n-drop the selected text into the WYSIWYG editor.
> >> Rather then converting this pasted content into plain text, the content
> >> is embedded directly as html!
> >>
> >> I tested this in both Firefox and IE.
> >>
> >> This potentially allows someone to insert javascript functions which
> >> might get saved and then rendered by the web application when you next
> >> display the data.
> >>
> >> I personally would like to see all text pasted into the control be
> >> converted into plain text (if this is possible), or at the very least
> >> make developers using this control aware of the potential for such an
> >> injection attack.
> >>
> >> Chris.
> >> --
> >> ----------------------
> >> Chris Bailey
> >> [hidden email]
> >>
> >>
> >>
> >> --
> >> You receive this message as a subscriber of the [hidden email]
> >> mailing list. To unsubscribe: mailto:[hidden email]
> >> For general help: mailto:[hidden email]?subject=help
> >> ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
> >>
>
>
>
> --
> ----------------------
> Chris Bailey
> [hidden email]
>
> --
> You receive this message as a subscriber of the [hidden email] mailing list.
> To unsubscribe: mailto:[hidden email]
> For general help: mailto:[hidden email]?subject=help
> ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
>
>
>

> which can then be saved and would be rendered. I have produced a small SWF
> screen video to show this in action.
>
> The fix I believe is that when you paste content into the WYSIWYG editor
> that (if the editor could detect this CTRL+V action) the editor first
> strips all html tags from the clipboard (i.e. when in Word performing a
> Paste Special->Unformatted Text).
>
> I hope this makes things clearer.
>
> Chris.
>
>
> --On 25 April 2007 16:32 -0700 Alessandro Vernet <[hidden email]>

>
> > Hi Chris,
> >
> > I am not sure to follow: where is it that you would like the HTML to
> > be embedded as text rather than HTML?
> >
> > Alex
> >
> > On 4/25/07, Chris Bailey <[hidden email]> wrote:
> >> I just noticed a potential venerability in the WYSIWYG editor.
> >>
> >> This control allows users to create html, although the user is

> >> from entering html directly (normally you have to use the buttons
> >> provided: bold, underlined, justified etc). However it seems that from
> >> within a web browser you can select a range of html from anywhere on a
> >> webpage and drag-n-drop the selected text into the WYSIWYG editor.
> >> Rather then converting this pasted content into plain text, the content
> >> is embedded directly as html!
> >>
> >> I tested this in both Firefox and IE.
> >>
> >> This potentially allows someone to insert javascript functions which
> >> might get saved and then rendered by the web application when you next
> >> display the data.
> >>
> >> I personally would like to see all text pasted into the control be
> >> converted into plain text (if this is possible), or at the very least
> >> make developers using this control aware of the potential for such an
> >> injection attack.
> >>
> >> Chris.
> >> --
> >> ----------------------
> >> Chris Bailey
> >> [hidden email]
> >>
> >>
> >>
> >> --
> >> You receive this message as a subscriber of the [hidden email]
> >> mailing list. To unsubscribe:

> >> For general help: mailto:[hidden email]?subject=help
> >> ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
> >>
>
>
>
> --
> ----------------------
> Chris Bailey
> [hidden email]
>
> --
> You receive this message as a subscriber of the [hidden email]

> Oops: try http://software.graflex.org/dexss as FreshMeat's search db hasn't
> updated yet.
>
> -----Original Message-----
> From: Leigh L. Klotz, Jr. [mailto:[hidden email]]
> Sent: Thursday, April 26, 2007 11:34 AM
> To: [hidden email]
> Subject: RE: [ops-users] Possible venerability in WYSIWYG editor
>
> You might be interested in DeXSS which we have just released as open source
> under AFL 3.0.
> http://freshmeat.net/dexss
>
> Leigh.
>
>
>
>
> --
> You receive this message as a subscriber of the [hidden email] mailing list.
> To unsubscribe: mailto:[hidden email]
> For general help: mailto:[hidden email]?subject=help
> ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
>
>

> Hi Chris,
>
> OK, sorry, now I understand. We are using the FCKeditor as our HTML
> editor. There is a configuration called ForcePasteAsPlainText, which
> forces something you paste to be considered as plain text. See:
>
> http://wiki.fckeditor.net/Developer%27s_Guide/Configuration/Configuration
> s_Settings#ForcePasteAsPlainText
>
> Would this do the trick, or is it too aggressive? You can enable this
> by extracting the fckeditor.js from ops-resources-public.jar, and
> placing it in your resources under ops/fckeditor, and editing the file
> to add that option.
>
> Alex
>
> On 4/26/07, Chris Bailey <[hidden email]> wrote:
>> Hmm I'm not sure I explained myself very well then.
>>
>> The WYSIWYG essentially allows a user to author a piece of HTML much like
>> they would do in a word document if they saved it as HTML.
>>
>> However the author is not exposed to the raw HTML as it's wrapped up
>> behind the WYSIWYG interface.
>>
>> As a developer you might use the WYSIWYG editor to let users create small
>> pieces of html which you would then save to a database and later, when
>> requested, retrieve the html and display it (using a <xforms:output
>> ref="myinstance/wysiwyg_generated_content" mediatype="text/html"/>). You
>> would think that as the WYSIWYG control has been used to generate this
>> content that it would only contain *safe* html to display.
>> However I have noticed that you can drag *any* html into the WYSIWYG
>> editor which can then be saved and would be rendered. I have produced a
>> small SWF screen video to show this in action.
>>
>> The fix I believe is that when you paste content into the WYSIWYG editor
>> that (if the editor could detect this CTRL+V action) the editor first
>> strips all html tags from the clipboard (i.e. when in Word performing a
>> Paste Special->Unformatted Text).
>>
>> I hope this makes things clearer.
>>
>> Chris.
>>
>>
>> --On 25 April 2007 16:32 -0700 Alessandro Vernet <[hidden email]>
>> wrote:
>>
>> > Hi Chris,
>> >
>> > I am not sure to follow: where is it that you would like the HTML to
>> > be embedded as text rather than HTML?
>> >
>> > Alex
>> >
>> > On 4/25/07, Chris Bailey <[hidden email]> wrote:
>> >> I just noticed a potential venerability in the WYSIWYG editor.
>> >>
>> >> This control allows users to create html, although the user is
>> >> restricted from entering html directly (normally you have to use the
>> >> buttons provided: bold, underlined, justified etc). However it seems
>> >> that from within a web browser you can select a range of html from
>> >> anywhere on a webpage and drag-n-drop the selected text into the
>> >> WYSIWYG editor. Rather then converting this pasted content into plain
>> >> text, the content is embedded directly as html!
>> >>
>> >> I tested this in both Firefox and IE.
>> >>
>> >> This potentially allows someone to insert javascript functions which
>> >> might get saved and then rendered by the web application when you next
>> >> display the data.
>> >>
>> >> I personally would like to see all text pasted into the control be
>> >> converted into plain text (if this is possible), or at the very least
>> >> make developers using this control aware of the potential for such an
>> >> injection attack.
>> >>
>> >> Chris.
>> >> --
>> >> ----------------------
>> >> Chris Bailey
>> >> [hidden email]
>> >>
>> >>
>> >>
>> >> --
>> >> You receive this message as a subscriber of the
>> >> [hidden email] mailing list. To unsubscribe:
>> >> mailto:[hidden email] For general help:
>> >> mailto:[hidden email]?subject=help
>> >> ObjectWeb mailing lists service home page:
>> >> http://www.objectweb.org/wws
>> >>
>>
>>
>>
>> --
>> ----------------------
>> Chris Bailey
>> [hidden email]
>>
>> --
>> You receive this message as a subscriber of the [hidden email]
>> mailing list. To unsubscribe: mailto:[hidden email]
>> For general help: mailto:[hidden email]?subject=help
>> ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
>>
>>

> Ah thanks Alex - that's exactly the setting I wanted but it seems the
> setting is in fckconfig.js not fckeditor.js
>
> However if I extract that file out to resources/ops/fckeditor as you
> suggested it isn't being picked up (although fckeditor.js is)
>
> I notice the config file is being loaded from
> http://localhost:8080/<myapp>//ops/fckeditor/fckconfig.js
> while the editor is obtained from
> localhost:8080/<myapp>/ops/fckeditor/fckconfig.js
>
> Is this an bug in the ops referencing of the files or a fckeditor issue?
>
> Chris.
>
> --On 26 April 2007 11:17 -0700 Alessandro Vernet <[hidden email]> wrote:
>
> > Hi Chris,
> >
> > OK, sorry, now I understand. We are using the FCKeditor as our HTML
> > editor. There is a configuration called ForcePasteAsPlainText, which
> > forces something you paste to be considered as plain text. See:
> >
> > http://wiki.fckeditor.net/Developer%27s_Guide/Configuration/Configuration
> > s_Settings#ForcePasteAsPlainText
> >
> > Would this do the trick, or is it too aggressive? You can enable this
> > by extracting the fckeditor.js from ops-resources-public.jar, and
> > placing it in your resources under ops/fckeditor, and editing the file
> > to add that option.
> >
> > Alex
> >
> > On 4/26/07, Chris Bailey <[hidden email]> wrote:
> >> Hmm I'm not sure I explained myself very well then.
> >>
> >> The WYSIWYG essentially allows a user to author a piece of HTML much like
> >> they would do in a word document if they saved it as HTML.
> >>
> >> However the author is not exposed to the raw HTML as it's wrapped up
> >> behind the WYSIWYG interface.
> >>
> >> As a developer you might use the WYSIWYG editor to let users create small
> >> pieces of html which you would then save to a database and later, when
> >> requested, retrieve the html and display it (using a <xforms:output
> >> ref="myinstance/wysiwyg_generated_content" mediatype="text/html"/>). You
> >> would think that as the WYSIWYG control has been used to generate this
> >> content that it would only contain *safe* html to display.
> >> However I have noticed that you can drag *any* html into the WYSIWYG
> >> editor which can then be saved and would be rendered. I have produced a
> >> small SWF screen video to show this in action.
> >>
> >> The fix I believe is that when you paste content into the WYSIWYG editor
> >> that (if the editor could detect this CTRL+V action) the editor first
> >> strips all html tags from the clipboard (i.e. when in Word performing a
> >> Paste Special->Unformatted Text).
> >>
> >> I hope this makes things clearer.
> >>
> >> Chris.
> >>
> >>
> >> --On 25 April 2007 16:32 -0700 Alessandro Vernet <[hidden email]>
> >> wrote:
> >>
> >> > Hi Chris,
> >> >
> >> > I am not sure to follow: where is it that you would like the HTML to
> >> > be embedded as text rather than HTML?
> >> >
> >> > Alex
> >> >
> >> > On 4/25/07, Chris Bailey <[hidden email]> wrote:
> >> >> I just noticed a potential venerability in the WYSIWYG editor.
> >> >>
> >> >> This control allows users to create html, although the user is
> >> >> restricted from entering html directly (normally you have to use the
> >> >> buttons provided: bold, underlined, justified etc). However it seems
> >> >> that from within a web browser you can select a range of html from
> >> >> anywhere on a webpage and drag-n-drop the selected text into the
> >> >> WYSIWYG editor. Rather then converting this pasted content into plain
> >> >> text, the content is embedded directly as html!
> >> >>
> >> >> I tested this in both Firefox and IE.
> >> >>
> >> >> This potentially allows someone to insert javascript functions which
> >> >> might get saved and then rendered by the web application when you next
> >> >> display the data.
> >> >>
> >> >> I personally would like to see all text pasted into the control be
> >> >> converted into plain text (if this is possible), or at the very least
> >> >> make developers using this control aware of the potential for such an
> >> >> injection attack.
> >> >>
> >> >> Chris.
> >> >> --
> >> >> ----------------------
> >> >> Chris Bailey
> >> >> [hidden email]
> >> >>
> >> >>
> >> >>
> >> >> --
> >> >> You receive this message as a subscriber of the
> >> >> [hidden email] mailing list. To unsubscribe:
> >> >> mailto:[hidden email] For general help:
> >> >> mailto:[hidden email]?subject=help
> >> >> ObjectWeb mailing lists service home page:
> >> >> http://www.objectweb.org/wws
> >> >>
> >>
> >>
> >>
> >> --
> >> ----------------------
> >> Chris Bailey
> >> [hidden email]
> >>
> >> --
> >> You receive this message as a subscriber of the [hidden email]
> >> mailing list. To unsubscribe: mailto:[hidden email]
> >> For general help: mailto:[hidden email]?subject=help
> >> ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
> >>
> >>
>
>
>
> --
> ----------------------
> Chris Bailey
> [hidden email]
>
>
>
> --
> You receive this message as a subscriber of the [hidden email] mailing list.
> To unsubscribe: mailto:[hidden email]
> For general help: mailto:[hidden email]?subject=help
> ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
>
>

> Ah thanks Alex - that's exactly the setting I wanted but it seems the
> setting is in fckconfig.js not fckeditor.js
>
> However if I extract that file out to resources/ops/fckeditor as you
> suggested it isn't being picked up (although fckeditor.js is)
>
> I notice the config file is being loaded from
> http://localhost:8080/<myapp>//ops/fckeditor/fckconfig.js
> while the editor is obtained from
> localhost:8080/<myapp>/ops/fckeditor/fckconfig.js
>
> Is this an bug in the ops referencing of the files or a fckeditor issue?
>
> Chris.
>
> --On 26 April 2007 11:17 -0700 Alessandro Vernet <[hidden email]>
> wrote:
>
>> Hi Chris,
>>
>> OK, sorry, now I understand. We are using the FCKeditor as our HTML
>> editor. There is a configuration called ForcePasteAsPlainText, which
>> forces something you paste to be considered as plain text. See:
>>
>> http://wiki.fckeditor.net/Developer%27s_Guide/Configuration/Configuration
>> s_Settings#ForcePasteAsPlainText
>>
>> Would this do the trick, or is it too aggressive? You can enable this
>> by extracting the fckeditor.js from ops-resources-public.jar, and
>> placing it in your resources under ops/fckeditor, and editing the file
>> to add that option.
>>
>> Alex
>>
>> On 4/26/07, Chris Bailey <[hidden email]> wrote:
>>> Hmm I'm not sure I explained myself very well then.
>>>
>>> The WYSIWYG essentially allows a user to author a piece of HTML much
>>> like
>>> they would do in a word document if they saved it as HTML.
>>>
>>> However the author is not exposed to the raw HTML as it's wrapped up
>>> behind the WYSIWYG interface.
>>>
>>> As a developer you might use the WYSIWYG editor to let users create
>>> small
>>> pieces of html which you would then save to a database and later, when
>>> requested, retrieve the html and display it (using a <xforms:output
>>> ref="myinstance/wysiwyg_generated_content" mediatype="text/html"/>). You
>>> would think that as the WYSIWYG control has been used to generate this
>>> content that it would only contain *safe* html to display.
>>> However I have noticed that you can drag *any* html into the WYSIWYG
>>> editor which can then be saved and would be rendered. I have produced a
>>> small SWF screen video to show this in action.
>>>
>>> The fix I believe is that when you paste content into the WYSIWYG editor
>>> that (if the editor could detect this CTRL+V action) the editor first
>>> strips all html tags from the clipboard (i.e. when in Word performing a
>>> Paste Special->Unformatted Text).
>>>
>>> I hope this makes things clearer.
>>>
>>> Chris.
>>>
>>>
>>> --On 25 April 2007 16:32 -0700 Alessandro Vernet <[hidden email]>
>>> wrote:
>>>
>>> > Hi Chris,
>>> >
>>> > I am not sure to follow: where is it that you would like the HTML to
>>> > be embedded as text rather than HTML?
>>> >
>>> > Alex
>>> >
>>> > On 4/25/07, Chris Bailey <[hidden email]> wrote:
>>> >> I just noticed a potential venerability in the WYSIWYG editor.
>>> >>
>>> >> This control allows users to create html, although the user is
>>> >> restricted from entering html directly (normally you have to use the
>>> >> buttons provided: bold, underlined, justified etc). However it seems
>>> >> that from within a web browser you can select a range of html from
>>> >> anywhere on a webpage and drag-n-drop the selected text into the
>>> >> WYSIWYG editor. Rather then converting this pasted content into plain
>>> >> text, the content is embedded directly as html!
>>> >>
>>> >> I tested this in both Firefox and IE.
>>> >>
>>> >> This potentially allows someone to insert javascript functions which
>>> >> might get saved and then rendered by the web application when you
>>> next
>>> >> display the data.
>>> >>
>>> >> I personally would like to see all text pasted into the control be
>>> >> converted into plain text (if this is possible), or at the very least
>>> >> make developers using this control aware of the potential for such an
>>> >> injection attack.
>>> >>
>>> >> Chris.
>>> >> --
>>> >> ----------------------
>>> >> Chris Bailey
>>> >> [hidden email]
>>> >>
>>> >>
>>> >>
>>> >> --
>>> >> You receive this message as a subscriber of the
>>> >> [hidden email] mailing list. To unsubscribe:
>>> >> mailto:[hidden email] For general help:
>>> >> mailto:[hidden email]?subject=help
>>> >> ObjectWeb mailing lists service home page:
>>> >> http://www.objectweb.org/wws
>>> >>
>>>
>>>
>>>
>>> --
>>> ----------------------
>>> Chris Bailey
>>> [hidden email]
>>>
>>> --
>>> You receive this message as a subscriber of the [hidden email]
>>> mailing list. To unsubscribe: mailto:[hidden email]
>>> For general help: mailto:[hidden email]?subject=help
>>> ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
>>>
>>>
>
>
>

>
> Alex
>
> On 4/27/07, Chris Bailey <[hidden email]> wrote:
>> Ah thanks Alex - that's exactly the setting I wanted but it seems the
>> setting is in fckconfig.js not fckeditor.js
>>
>> However if I extract that file out to resources/ops/fckeditor as you
>> suggested it isn't being picked up (although fckeditor.js is)
>>
>> I notice the config file is being loaded from
>> http://localhost:8080/<myapp>//ops/fckeditor/fckconfig.js
>> while the editor is obtained from
>> localhost:8080/<myapp>/ops/fckeditor/fckconfig.js
>>
>> Is this an bug in the ops referencing of the files or a fckeditor issue?
>>
>> Chris.
>>
>> --On 26 April 2007 11:17 -0700 Alessandro Vernet <[hidden email]>
>> wrote:
>>
>> > Hi Chris,
>> >
>> > OK, sorry, now I understand. We are using the FCKeditor as our HTML
>> > editor. There is a configuration called ForcePasteAsPlainText, which
>> > forces something you paste to be considered as plain text. See:
>> >
>> > http://wiki.fckeditor.net/Developer%27s_Guide/Configuration/Configurat
>> > ion s_Settings#ForcePasteAsPlainText
>> >
>> > Would this do the trick, or is it too aggressive? You can enable this
>> > by extracting the fckeditor.js from ops-resources-public.jar, and
>> > placing it in your resources under ops/fckeditor, and editing the file
>> > to add that option.
>> >
>> > Alex
>> >
>> > On 4/26/07, Chris Bailey <[hidden email]> wrote:
>> >> Hmm I'm not sure I explained myself very well then.
>> >>
>> >> The WYSIWYG essentially allows a user to author a piece of HTML much
>> >> like they would do in a word document if they saved it as HTML.
>> >>
>> >> However the author is not exposed to the raw HTML as it's wrapped up
>> >> behind the WYSIWYG interface.
>> >>
>> >> As a developer you might use the WYSIWYG editor to let users create
>> >> small pieces of html which you would then save to a database and
>> >> later, when requested, retrieve the html and display it (using a
>> >> <xforms:output ref="myinstance/wysiwyg_generated_content"
>> >> mediatype="text/html"/>). You would think that as the WYSIWYG control
>> >> has been used to generate this content that it would only contain
>> >> *safe* html to display.
>> >> However I have noticed that you can drag *any* html into the WYSIWYG
>> >> editor which can then be saved and would be rendered. I have produced
>> >> a small SWF screen video to show this in action.
>> >>
>> >> The fix I believe is that when you paste content into the WYSIWYG
>> >> editor that (if the editor could detect this CTRL+V action) the
>> >> editor first strips all html tags from the clipboard (i.e. when in
>> >> Word performing a Paste Special->Unformatted Text).
>> >>
>> >> I hope this makes things clearer.
>> >>
>> >> Chris.
>> >>
>> >>
>> >> --On 25 April 2007 16:32 -0700 Alessandro Vernet <[hidden email]>
>> >> wrote:
>> >>
>> >> > Hi Chris,
>> >> >
>> >> > I am not sure to follow: where is it that you would like the HTML to
>> >> > be embedded as text rather than HTML?
>> >> >
>> >> > Alex
>> >> >
>> >> > On 4/25/07, Chris Bailey <[hidden email]> wrote:
>> >> >> I just noticed a potential venerability in the WYSIWYG editor.
>> >> >>
>> >> >> This control allows users to create html, although the user is
>> >> >> restricted from entering html directly (normally you have to use
>> >> >> the buttons provided: bold, underlined, justified etc). However it
>> >> >> seems that from within a web browser you can select a range of
>> >> >> html from anywhere on a webpage and drag-n-drop the selected text
>> >> >> into the WYSIWYG editor. Rather then converting this pasted
>> >> >> content into plain text, the content is embedded directly as html!
>> >> >>
>> >> >> I tested this in both Firefox and IE.
>> >> >>
>> >> >> This potentially allows someone to insert javascript functions
>> >> >> which might get saved and then rendered by the web application
>> >> >> when you next display the data.
>> >> >>
>> >> >> I personally would like to see all text pasted into the control be
>> >> >> converted into plain text (if this is possible), or at the very
>> >> >> least make developers using this control aware of the potential
>> >> >> for such an injection attack.
>> >> >>
>> >> >> Chris.
>> >> >> --
>> >> >> ----------------------
>> >> >> Chris Bailey
>> >> >> [hidden email]
>> >> >>
>> >> >>
>> >> >>
>> >> >> --
>> >> >> You receive this message as a subscriber of the
>> >> >> [hidden email] mailing list. To unsubscribe:
>> >> >> mailto:[hidden email] For general help:
>> >> >> mailto:[hidden email]?subject=help
>> >> >> ObjectWeb mailing lists service home page:
>> >> >> http://www.objectweb.org/wws
>> >> >>
>> >>
>> >>
>> >>
>> >> --
>> >> ----------------------
>> >> Chris Bailey
>> >> [hidden email]
>> >>
>> >> --
>> >> You receive this message as a subscriber of the
>> >> [hidden email] mailing list. To unsubscribe:
>> >> mailto:[hidden email] For general help:
>> >> mailto:[hidden email]?subject=help
>> >> ObjectWeb mailing lists service home page:
>> >> http://www.objectweb.org/wws
>> >>
>> >>
>>
>>
>>
>> --
>> ----------------------
>> Chris Bailey
>> [hidden email]
>>
>>
>>
>> --
>> You receive this message as a subscriber of the [hidden email]
>> mailing list. To unsubscribe: mailto:[hidden email]
>> For general help: mailto:[hidden email]?subject=help
>> ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
>>

> Hmm I'm using 3.5.1.200704201904 but I've had so many issues with this
> build that I'm thinking of reverting to an earlier one (the biggest issue
> I've not mentioned yet is that when I view any xforms page in IE it
> freezes up IE completely! - I have to then kill it from the task
> manager!)).
>
> I could try the very latest build and if that doesn't work I'll go back
> to 3.5.0
>
> Chris.
>
>
> --On 27 April 2007 18:17 -0700 Alessandro Vernet <[hidden email]>
> wrote:
>
>> Hi Chris,
>>
>> Sorry, my bad: indeed, I intended to write fckconfig.js, not
>> fckeditor.js. I think the double slash issue has been fixed. Are you
>> using Orbeon Forms 3.5.1?
>>
>> BTW, even with double slash, your fckconfig.js should be loaded. Did
>> you place it under resources/ops/fckeditor? Can you try to go to that
>> URL directly with your browser and see if the right file is loaded?
> It does seem to be there so maybe I just needed to restart tomcat and my
> browser.
>
>> This file is loaded in such a way that even ctrl-reloading your page
>> won't pick up a new version of the file.
>
>
>>
>> Alex
>>
>> On 4/27/07, Chris Bailey <[hidden email]> wrote:
>>> Ah thanks Alex - that's exactly the setting I wanted but it seems the
>>> setting is in fckconfig.js not fckeditor.js
>>>
>>> However if I extract that file out to resources/ops/fckeditor as you
>>> suggested it isn't being picked up (although fckeditor.js is)
>>>
>>> I notice the config file is being loaded from
>>> http://localhost:8080/<myapp>//ops/fckeditor/fckconfig.js
>>> while the editor is obtained from
>>> localhost:8080/<myapp>/ops/fckeditor/fckconfig.js
>>>
>>> Is this an bug in the ops referencing of the files or a fckeditor issue?
>>>
>>> Chris.
>>>
>>> --On 26 April 2007 11:17 -0700 Alessandro Vernet <[hidden email]>
>>> wrote:
>>>
>>> > Hi Chris,
>>> >
>>> > OK, sorry, now I understand. We are using the FCKeditor as our HTML
>>> > editor. There is a configuration called ForcePasteAsPlainText, which
>>> > forces something you paste to be considered as plain text. See:
>>> >
>>> > http://wiki.fckeditor.net/Developer%27s_Guide/Configuration/Configurat
>>> > ion s_Settings#ForcePasteAsPlainText
>>> >
>>> > Would this do the trick, or is it too aggressive? You can enable this
>>> > by extracting the fckeditor.js from ops-resources-public.jar, and
>>> > placing it in your resources under ops/fckeditor, and editing the file
>>> > to add that option.
>>> >
>>> > Alex
>>> >
>>> > On 4/26/07, Chris Bailey <[hidden email]> wrote:
>>> >> Hmm I'm not sure I explained myself very well then.
>>> >>
>>> >> The WYSIWYG essentially allows a user to author a piece of HTML much
>>> >> like they would do in a word document if they saved it as HTML.
>>> >>
>>> >> However the author is not exposed to the raw HTML as it's wrapped up
>>> >> behind the WYSIWYG interface.
>>> >>
>>> >> As a developer you might use the WYSIWYG editor to let users create
>>> >> small pieces of html which you would then save to a database and
>>> >> later, when requested, retrieve the html and display it (using a
>>> >> <xforms:output ref="myinstance/wysiwyg_generated_content"
>>> >> mediatype="text/html"/>). You would think that as the WYSIWYG control
>>> >> has been used to generate this content that it would only contain
>>> >> *safe* html to display.
>>> >> However I have noticed that you can drag *any* html into the WYSIWYG
>>> >> editor which can then be saved and would be rendered. I have produced
>>> >> a small SWF screen video to show this in action.
>>> >>
>>> >> The fix I believe is that when you paste content into the WYSIWYG
>>> >> editor that (if the editor could detect this CTRL+V action) the
>>> >> editor first strips all html tags from the clipboard (i.e. when in
>>> >> Word performing a Paste Special->Unformatted Text).
>>> >>
>>> >> I hope this makes things clearer.
>>> >>
>>> >> Chris.
>>> >>
>>> >>
>>> >> --On 25 April 2007 16:32 -0700 Alessandro Vernet <[hidden email]>
>>> >> wrote:
>>> >>
>>> >> > Hi Chris,
>>> >> >
>>> >> > I am not sure to follow: where is it that you would like the HTML
>>> >> > to be embedded as text rather than HTML?
>>> >> >
>>> >> > Alex
>>> >> >
>>> >> > On 4/25/07, Chris Bailey <[hidden email]> wrote:
>>> >> >> I just noticed a potential venerability in the WYSIWYG editor.
>>> >> >>
>>> >> >> This control allows users to create html, although the user is
>>> >> >> restricted from entering html directly (normally you have to use
>>> >> >> the buttons provided: bold, underlined, justified etc). However it
>>> >> >> seems that from within a web browser you can select a range of
>>> >> >> html from anywhere on a webpage and drag-n-drop the selected text
>>> >> >> into the WYSIWYG editor. Rather then converting this pasted
>>> >> >> content into plain text, the content is embedded directly as html!
>>> >> >>
>>> >> >> I tested this in both Firefox and IE.
>>> >> >>
>>> >> >> This potentially allows someone to insert javascript functions
>>> >> >> which might get saved and then rendered by the web application
>>> >> >> when you next display the data.
>>> >> >>
>>> >> >> I personally would like to see all text pasted into the control be
>>> >> >> converted into plain text (if this is possible), or at the very
>>> >> >> least make developers using this control aware of the potential
>>> >> >> for such an injection attack.
>>> >> >>
>>> >> >> Chris.
>>> >> >> --
>>> >> >> ----------------------
>>> >> >> Chris Bailey
>>> >> >> [hidden email]
>>> >> >>
>>> >> >>
>>> >> >>
>>> >> >> --
>>> >> >> You receive this message as a subscriber of the
>>> >> >> [hidden email] mailing list. To unsubscribe:
>>> >> >> mailto:[hidden email] For general help:
>>> >> >> mailto:[hidden email]?subject=help
>>> >> >> ObjectWeb mailing lists service home page:
>>> >> >> http://www.objectweb.org/wws
>>> >> >>
>>> >>
>>> >>
>>> >>
>>> >> --
>>> >> ----------------------
>>> >> Chris Bailey
>>> >> [hidden email]
>>> >>
>>> >> --
>>> >> You receive this message as a subscriber of the
>>> >> [hidden email] mailing list. To unsubscribe:
>>> >> mailto:[hidden email] For general help:
>>> >> mailto:[hidden email]?subject=help
>>> >> ObjectWeb mailing lists service home page:
>>> >> http://www.objectweb.org/wws
>>> >>
>>> >>
>>>
>>>
>>>
>>> --
>>> ----------------------
>>> Chris Bailey
>>> [hidden email]
>>>
>>>
>>>
>>> --
>>> You receive this message as a subscriber of the [hidden email]
>>> mailing list. To unsubscribe: mailto:[hidden email]
>>> For general help: mailto:[hidden email]?subject=help
>>> ObjectWeb mailing lists service home page: http://www.objectweb.org/wws

> After reading
> <http://www.nabble.com/FW%3A-Javascript-error---%27Permission-denied-to-call-method-XMLHttpRequest.open%27-p9511461.html>
> I see that if I fully qualify my machine name (rather then localhost:8080)
> I can see my newly modified fckconfig.js file however OPS is still serving
> me the old one.
> (Now using Orbeon Forms 3.5.1.200704300606)
>
> Chris.
>
> --On 30 April 2007 10:15 +0100 Chris Bailey <[hidden email]> wrote:
>
> > Hmm I'm using 3.5.1.200704201904 but I've had so many issues with this
> > build that I'm thinking of reverting to an earlier one (the biggest issue
> > I've not mentioned yet is that when I view any xforms page in IE it
> > freezes up IE completely! - I have to then kill it from the task
> > manager!)).
> >
> > I could try the very latest build and if that doesn't work I'll go back
> > to 3.5.0
> >
> > Chris.
> >
> >
> > --On 27 April 2007 18:17 -0700 Alessandro Vernet <[hidden email]>
> > wrote:
> >
> >> Hi Chris,
> >>
> >> Sorry, my bad: indeed, I intended to write fckconfig.js, not
> >> fckeditor.js. I think the double slash issue has been fixed. Are you
> >> using Orbeon Forms 3.5.1?
> >>
> >> BTW, even with double slash, your fckconfig.js should be loaded. Did
> >> you place it under resources/ops/fckeditor? Can you try to go to that
> >> URL directly with your browser and see if the right file is loaded?
> > It does seem to be there so maybe I just needed to restart tomcat and my
> > browser.
> >
> >> This file is loaded in such a way that even ctrl-reloading your page
> >> won't pick up a new version of the file.
> >
> >
> >>
> >> Alex
> >>
> >> On 4/27/07, Chris Bailey <[hidden email]> wrote:
> >>> Ah thanks Alex - that's exactly the setting I wanted but it seems the
> >>> setting is in fckconfig.js not fckeditor.js
> >>>
> >>> However if I extract that file out to resources/ops/fckeditor as you
> >>> suggested it isn't being picked up (although fckeditor.js is)
> >>>
> >>> I notice the config file is being loaded from
> >>> http://localhost:8080/<myapp>//ops/fckeditor/fckconfig.js
> >>> while the editor is obtained from
> >>> localhost:8080/<myapp>/ops/fckeditor/fckconfig.js
> >>>
> >>> Is this an bug in the ops referencing of the files or a fckeditor issue?
> >>>
> >>> Chris.
> >>>
> >>> --On 26 April 2007 11:17 -0700 Alessandro Vernet <[hidden email]>
> >>> wrote:
> >>>
> >>> > Hi Chris,
> >>> >
> >>> > OK, sorry, now I understand. We are using the FCKeditor as our HTML
> >>> > editor. There is a configuration called ForcePasteAsPlainText, which
> >>> > forces something you paste to be considered as plain text. See:
> >>> >
> >>> > http://wiki.fckeditor.net/Developer%27s_Guide/Configuration/Configurat
> >>> > ion s_Settings#ForcePasteAsPlainText
> >>> >
> >>> > Would this do the trick, or is it too aggressive? You can enable this
> >>> > by extracting the fckeditor.js from ops-resources-public.jar, and
> >>> > placing it in your resources under ops/fckeditor, and editing the file
> >>> > to add that option.
> >>> >
> >>> > Alex
> >>> >
> >>> > On 4/26/07, Chris Bailey <[hidden email]> wrote:
> >>> >> Hmm I'm not sure I explained myself very well then.
> >>> >>
> >>> >> The WYSIWYG essentially allows a user to author a piece of HTML much
> >>> >> like they would do in a word document if they saved it as HTML.
> >>> >>
> >>> >> However the author is not exposed to the raw HTML as it's wrapped up
> >>> >> behind the WYSIWYG interface.
> >>> >>
> >>> >> As a developer you might use the WYSIWYG editor to let users create
> >>> >> small pieces of html which you would then save to a database and
> >>> >> later, when requested, retrieve the html and display it (using a
> >>> >> <xforms:output ref="myinstance/wysiwyg_generated_content"
> >>> >> mediatype="text/html"/>). You would think that as the WYSIWYG control
> >>> >> has been used to generate this content that it would only contain
> >>> >> *safe* html to display.
> >>> >> However I have noticed that you can drag *any* html into the WYSIWYG
> >>> >> editor which can then be saved and would be rendered. I have produced
> >>> >> a small SWF screen video to show this in action.
> >>> >>
> >>> >> The fix I believe is that when you paste content into the WYSIWYG
> >>> >> editor that (if the editor could detect this CTRL+V action) the
> >>> >> editor first strips all html tags from the clipboard (i.e. when in
> >>> >> Word performing a Paste Special->Unformatted Text).
> >>> >>
> >>> >> I hope this makes things clearer.
> >>> >>
> >>> >> Chris.
> >>> >>
> >>> >>
> >>> >> --On 25 April 2007 16:32 -0700 Alessandro Vernet <[hidden email]>
> >>> >> wrote:
> >>> >>
> >>> >> > Hi Chris,
> >>> >> >
> >>> >> > I am not sure to follow: where is it that you would like the HTML
> >>> >> > to be embedded as text rather than HTML?
> >>> >> >
> >>> >> > Alex
> >>> >> >
> >>> >> > On 4/25/07, Chris Bailey <[hidden email]> wrote:
> >>> >> >> I just noticed a potential venerability in the WYSIWYG editor.
> >>> >> >>
> >>> >> >> This control allows users to create html, although the user is
> >>> >> >> restricted from entering html directly (normally you have to use
> >>> >> >> the buttons provided: bold, underlined, justified etc). However it
> >>> >> >> seems that from within a web browser you can select a range of
> >>> >> >> html from anywhere on a webpage and drag-n-drop the selected text
> >>> >> >> into the WYSIWYG editor. Rather then converting this pasted
> >>> >> >> content into plain text, the content is embedded directly as html!
> >>> >> >>
> >>> >> >> I tested this in both Firefox and IE.
> >>> >> >>
> >>> >> >> This potentially allows someone to insert javascript functions
> >>> >> >> which might get saved and then rendered by the web application
> >>> >> >> when you next display the data.
> >>> >> >>
> >>> >> >> I personally would like to see all text pasted into the control be
> >>> >> >> converted into plain text (if this is possible), or at the very
> >>> >> >> least make developers using this control aware of the potential
> >>> >> >> for such an injection attack.
> >>> >> >>
> >>> >> >> Chris.
> >>> >> >> --
> >>> >> >> ----------------------
> >>> >> >> Chris Bailey
> >>> >> >> [hidden email]
> >>> >> >>
> >>> >> >>
> >>> >> >>
> >>> >> >> --
> >>> >> >> You receive this message as a subscriber of the
> >>> >> >> [hidden email] mailing list. To unsubscribe:
> >>> >> >> mailto:[hidden email] For general help:
> >>> >> >> mailto:[hidden email]?subject=help
> >>> >> >> ObjectWeb mailing lists service home page:
> >>> >> >> http://www.objectweb.org/wws
> >>> >> >>
> >>> >>
> >>> >>
> >>> >>
> >>> >> --
> >>> >> ----------------------
> >>> >> Chris Bailey
> >>> >> [hidden email]
> >>> >>
> >>> >> --
> >>> >> You receive this message as a subscriber of the
> >>> >> [hidden email] mailing list. To unsubscribe:
> >>> >> mailto:[hidden email] For general help:
> >>> >> mailto:[hidden email]?subject=help
> >>> >> ObjectWeb mailing lists service home page:
> >>> >> http://www.objectweb.org/wws
> >>> >>
> >>> >>
> >>>
> >>>
> >>>
> >>> --
> >>> ----------------------
> >>> Chris Bailey
> >>> [hidden email]
> >>>
> >>>
> >>>
> >>> --
> >>> You receive this message as a subscriber of the [hidden email]
> >>> mailing list. To unsubscribe: mailto:[hidden email]
> >>> For general help: mailto:[hidden email]?subject=help
> >>> ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
>
>
>
> --
> ----------------------
> Chris Bailey
> [hidden email]
>
>
>
> --
> You receive this message as a subscriber of the [hidden email] mailing list.
> To unsubscribe: mailto:[hidden email]
> For general help: mailto:[hidden email]?subject=help
> ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
>
>

> Chris,
>
> Can you try to clear the cache of your browser, and access the page
> again? This in general what I do after modifying files from the
> FCKeditor.
>
> Alex
>
> On 4/30/07, Chris Bailey <[hidden email]> wrote:
>> After reading
>> <http://www.nabble.com/FW%3A-Javascript-error---%27Permission-denied-to-
>> call-method-XMLHttpRequest.open%27-p9511461.html> I see that if I fully
>> qualify my machine name (rather then localhost:8080) I can see my newly
>> modified fckconfig.js file however OPS is still serving me the old one.
>> (Now using Orbeon Forms 3.5.1.200704300606)
>>
>> Chris.
>>
>> --On 30 April 2007 10:15 +0100 Chris Bailey <[hidden email]>
>> wrote:
>>
>> > Hmm I'm using 3.5.1.200704201904 but I've had so many issues with this
>> > build that I'm thinking of reverting to an earlier one (the biggest
>> > issue I've not mentioned yet is that when I view any xforms page in IE
>> > it freezes up IE completely! - I have to then kill it from the task
>> > manager!)).
>> >
>> > I could try the very latest build and if that doesn't work I'll go back
>> > to 3.5.0
>> >
>> > Chris.
>> >
>> >
>> > --On 27 April 2007 18:17 -0700 Alessandro Vernet <[hidden email]>
>> > wrote:
>> >
>> >> Hi Chris,
>> >>
>> >> Sorry, my bad: indeed, I intended to write fckconfig.js, not
>> >> fckeditor.js. I think the double slash issue has been fixed. Are you
>> >> using Orbeon Forms 3.5.1?
>> >>
>> >> BTW, even with double slash, your fckconfig.js should be loaded. Did
>> >> you place it under resources/ops/fckeditor? Can you try to go to that
>> >> URL directly with your browser and see if the right file is loaded?
>> > It does seem to be there so maybe I just needed to restart tomcat and
>> > my browser.
>> >
>> >> This file is loaded in such a way that even ctrl-reloading your page
>> >> won't pick up a new version of the file.
>> >
>> >
>> >>
>> >> Alex
>> >>
>> >> On 4/27/07, Chris Bailey <[hidden email]> wrote:
>> >>> Ah thanks Alex - that's exactly the setting I wanted but it seems the
>> >>> setting is in fckconfig.js not fckeditor.js
>> >>>
>> >>> However if I extract that file out to resources/ops/fckeditor as you
>> >>> suggested it isn't being picked up (although fckeditor.js is)
>> >>>
>> >>> I notice the config file is being loaded from
>> >>> http://localhost:8080/<myapp>//ops/fckeditor/fckconfig.js
>> >>> while the editor is obtained from
>> >>> localhost:8080/<myapp>/ops/fckeditor/fckconfig.js
>> >>>
>> >>> Is this an bug in the ops referencing of the files or a fckeditor
>> >>> issue?
>> >>>
>> >>> Chris.
>> >>>
>> >>> --On 26 April 2007 11:17 -0700 Alessandro Vernet <[hidden email]>
>> >>> wrote:
>> >>>
>> >>> > Hi Chris,
>> >>> >
>> >>> > OK, sorry, now I understand. We are using the FCKeditor as our HTML
>> >>> > editor. There is a configuration called ForcePasteAsPlainText,
>> >>> > which forces something you paste to be considered as plain text.
>> >>> > See:
>> >>> >
>> >>> > http://wiki.fckeditor.net/Developer%27s_Guide/Configuration/Config
>> >>> > urat ion s_Settings#ForcePasteAsPlainText
>> >>> >
>> >>> > Would this do the trick, or is it too aggressive? You can enable
>> >>> > this by extracting the fckeditor.js from ops-resources-public.jar,
>> >>> > and placing it in your resources under ops/fckeditor, and editing
>> >>> > the file to add that option.
>> >>> >
>> >>> > Alex
>> >>> >
>> >>> > On 4/26/07, Chris Bailey <[hidden email]> wrote:
>> >>> >> Hmm I'm not sure I explained myself very well then.
>> >>> >>
>> >>> >> The WYSIWYG essentially allows a user to author a piece of HTML
>> >>> >> much like they would do in a word document if they saved it as
>> >>> >> HTML.
>> >>> >>
>> >>> >> However the author is not exposed to the raw HTML as it's wrapped
>> >>> >> up behind the WYSIWYG interface.
>> >>> >>
>> >>> >> As a developer you might use the WYSIWYG editor to let users
>> >>> >> create small pieces of html which you would then save to a
>> >>> >> database and later, when requested, retrieve the html and display
>> >>> >> it (using a <xforms:output
>> >>> >> ref="myinstance/wysiwyg_generated_content"
>> >>> >> mediatype="text/html"/>). You would think that as the WYSIWYG
>> >>> >> control has been used to generate this content that it would only
>> >>> >> contain *safe* html to display.
>> >>> >> However I have noticed that you can drag *any* html into the
>> >>> >> WYSIWYG editor which can then be saved and would be rendered. I
>> >>> >> have produced a small SWF screen video to show this in action.
>> >>> >>
>> >>> >> The fix I believe is that when you paste content into the WYSIWYG
>> >>> >> editor that (if the editor could detect this CTRL+V action) the
>> >>> >> editor first strips all html tags from the clipboard (i.e. when in
>> >>> >> Word performing a Paste Special->Unformatted Text).
>> >>> >>
>> >>> >> I hope this makes things clearer.
>> >>> >>
>> >>> >> Chris.
>> >>> >>
>> >>> >>
>> >>> >> --On 25 April 2007 16:32 -0700 Alessandro Vernet
>> >>> >> <[hidden email]> wrote:
>> >>> >>
>> >>> >> > Hi Chris,
>> >>> >> >
>> >>> >> > I am not sure to follow: where is it that you would like the
>> >>> >> > HTML to be embedded as text rather than HTML?
>> >>> >> >
>> >>> >> > Alex
>> >>> >> >
>> >>> >> > On 4/25/07, Chris Bailey <[hidden email]> wrote:
>> >>> >> >> I just noticed a potential venerability in the WYSIWYG editor.
>> >>> >> >>
>> >>> >> >> This control allows users to create html, although the user is
>> >>> >> >> restricted from entering html directly (normally you have to
>> >>> >> >> use the buttons provided: bold, underlined, justified etc).
>> >>> >> >> However it seems that from within a web browser you can select
>> >>> >> >> a range of html from anywhere on a webpage and drag-n-drop the
>> >>> >> >> selected text into the WYSIWYG editor. Rather then converting
>> >>> >> >> this pasted content into plain text, the content is embedded
>> >>> >> >> directly as html!
>> >>> >> >>
>> >>> >> >> I tested this in both Firefox and IE.
>> >>> >> >>
>> >>> >> >> This potentially allows someone to insert javascript functions
>> >>> >> >> which might get saved and then rendered by the web application
>> >>> >> >> when you next display the data.
>> >>> >> >>
>> >>> >> >> I personally would like to see all text pasted into the
>> >>> >> >> control be converted into plain text (if this is possible), or
>> >>> >> >> at the very least make developers using this control aware of
>> >>> >> >> the potential for such an injection attack.
>> >>> >> >>
>> >>> >> >> Chris.
>> >>> >> >> --
>> >>> >> >> ----------------------
>> >>> >> >> Chris Bailey
>> >>> >> >> [hidden email]
>> >>> >> >>
>> >>> >> >>
>> >>> >> >>
>> >>> >> >> --
>> >>> >> >> You receive this message as a subscriber of the
>> >>> >> >> [hidden email] mailing list. To unsubscribe:
>> >>> >> >> mailto:[hidden email] For general help:
>> >>> >> >> mailto:[hidden email]?subject=help
>> >>> >> >> ObjectWeb mailing lists service home page:
>> >>> >> >> http://www.objectweb.org/wws
>> >>> >> >>
>> >>> >>
>> >>> >>
>> >>> >>
>> >>> >> --
>> >>> >> ----------------------
>> >>> >> Chris Bailey
>> >>> >> [hidden email]
>> >>> >>
>> >>> >> --
>> >>> >> You receive this message as a subscriber of the
>> >>> >> [hidden email] mailing list. To unsubscribe:
>> >>> >> mailto:[hidden email] For general help:
>> >>> >> mailto:[hidden email]?subject=help
>> >>> >> ObjectWeb mailing lists service home page:
>> >>> >> http://www.objectweb.org/wws
>> >>> >>
>> >>> >>
>> >>>
>> >>>
>> >>>
>> >>> --
>> >>> ----------------------
>> >>> Chris Bailey
>> >>> [hidden email]
>> >>>
>> >>>
>> >>>
>> >>> --
>> >>> You receive this message as a subscriber of the
>> >>> [hidden email] mailing list. To unsubscribe:
>> >>> mailto:[hidden email] For general help:
>> >>> mailto:[hidden email]?subject=help
>> >>> ObjectWeb mailing lists service home page:
>> >>> http://www.objectweb.org/wws
>>
>>
>>
>> --
>> ----------------------
>> Chris Bailey
>> [hidden email]
>>
>>
>>
>> --
>> You receive this message as a subscriber of the [hidden email]
>> mailing list. To unsubscribe: mailto:[hidden email]
>> For general help: mailto:[hidden email]?subject=help
>> ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
>>