Hi,

Justed wanted to let you know, that when you do the following, it might break your site, if you have additional filters enabled (like spamspan).

  • Use FireFox
  • Go and create a node with Ckeditor enabled.
  • Drag an image from your desktop (preferrable a bit big) into the ckeditor.
  • Hit save (or view code)

As you can see, the image is loaded into the text area as <img alt="" src="data:image/png;base64,iVBORw0KGgoAAAAN... ...Kt618f8EYXwHmCtPdQAAAABJRU5ErkJggg==" /> with 300.000 characters inbetween or more. This can break your site, if some filters want to analyse this 300.000 characters with regexp. Besides this can be exploited to get down sites easily and quickly.

Regards,

Geert

Comments

mkesicki’s picture

Status: Active » Closed (won't fix)

This issue is related more with Firefox feature/behaviour and Wysiwyg editors not only CKEditor module for Drupal or CKEditor itself.
Please look at topic: #1193036: Firefox handling of Drag & Drop images: inserted as binary blobs in WYSIWYG editors..

To resolve this issue and handle this behaviour in CKEditor, please check plugin from:
http://dev.ckeditor.com/ticket/8208.
Here is description to it: http://cksource.com/forums/viewtopic.php?f=18&t=23646
You can also configure wysiwyg (or other) drupal filter to remove images inserted in this way on server side validation.

GBurg’s picture

Status: Closed (won't fix) » Active

Hey,

To be honest, I think this should be solved in the ckeditor module, as it is a security risk. For example, I am a webdesigner and make several drupal websites with ckeditor module a month. Anonymous users should also be able to post comments/forum topics/etc. I would have to manually fix this problem for every site I deliver. To make sure my dedicated server machine can't go down! Moreover, probably every drupal website with the ckeditor can be stressed by using this to increase the server load (to make the server load go crazy, use some filters like spamspan).

Off course at the heart of the problem, this is a FireFox or even a CKEditor problem. But I think we can't wait for them to address this problem, as it is a security risk for every drupal installation with ckeditor installed.

I think the best solution is to have this solution in ckeditor.config.js http://drupal.org/node/1193036#comment-5166164 which totally diasbles the pasting of images in ckeditor. It is what I will be using. I want to put this post once more under the attention of ckeditor module maintainers, as I think it is a security risk, not caused by the maintainers or coders of this module, but it should be fixed.

Regards,

Geert

mkesicki’s picture

Status: Active » Postponed

As I wrote earlier this issue is for all wysiwyg editors in Firefox. Generally this is not security issue in CKEditor, because how content is filtered to protect site depends from application and its confgiruation. In drupal this is handle by text formats and filters that are used to filter content.
Generally the same issue you will get if somebody paste the same images (as encoded text) into plain text (textarea in form) without any wysiwyg editor.
If you want protect against this issue in Firefox, you should use some client site validation.
We will also check solution for this and think about add it to our module as configuration option.

mkesicki’s picture

Issue summary: View changes

Put image tag in code tag, as otherwise the problem is not well shown