X-Git-Url: https://git.immae.eu/?p=perso%2FImmae%2FProjets%2Fpackagist%2Fpiedsjaloux-ckeditor-component.git;a=blobdiff_plain;f=sources%2Fcore%2Fhtmldataprocessor.js;fp=sources%2Fcore%2Fhtmldataprocessor.js;h=79e996b6c91e57118c57bfa02ad020b813186e73;hp=d079e4d4f1e8b37377e1b09b7653fe30c732f2e1;hb=317f8f8f0651488f226b5280a8f036c7c135c639;hpb=1096cdefb1c9a3f3c4ca6807e272da6c92e5ed9c diff --git a/sources/core/htmldataprocessor.js b/sources/core/htmldataprocessor.js index d079e4d..79e996b 100644 --- a/sources/core/htmldataprocessor.js +++ b/sources/core/htmldataprocessor.js @@ -1,5 +1,5 @@ /** - * @license Copyright (c) 2003-2016, CKSource - Frederico Knabben. All rights reserved. + * @license Copyright (c) 2003-2017, CKSource - Frederico Knabben. All rights reserved. * For licensing, see LICENSE.md or http://ckeditor.com/license */ @@ -56,7 +56,7 @@ // it up and apply the filter. data = protectSource( data, editor ); - // Protect content of textareas. (#9995) + // Protect content of textareas. (http://dev.ckeditor.com/ticket/9995) // Do this before protecting attributes to avoid breaking: // data = protectElements( data, protectTextareaRegex ); @@ -67,23 +67,23 @@ data = protectAttributes( data ); // Protect elements than can't be set inside a DIV. E.g. IE removes - // style tags from innerHTML. (#3710) + // style tags from innerHTML. (http://dev.ckeditor.com/ticket/3710) data = protectElements( data, protectElementsRegex ); // Certain elements has problem to go through DOM operation, protect - // them by prefixing 'cke' namespace. (#3591) + // them by prefixing 'cke' namespace. (http://dev.ckeditor.com/ticket/3591) data = protectElementsNames( data ); // All none-IE browsers ignore self-closed custom elements, - // protecting them into open-close. (#3591) + // protecting them into open-close. (http://dev.ckeditor.com/ticket/3591) data = protectSelfClosingElements( data ); // Compensate one leading line break after 
 open as browsers
-			// eat it up. (#5789)
+			// eat it up. (http://dev.ckeditor.com/ticket/5789)
 			data = protectPreFormatted( data );
 
 			// There are attributes which may execute JavaScript code inside fixBin.
-			// Encode them greedily. They will be unprotected right after getting HTML from fixBin. (#10)
+			// Encode them greedily. They will be unprotected right after getting HTML from fixBin. (http://dev.ckeditor.com/ticket/10)
 			data = protectInsecureAttributes( data );
 
 			var fixBin = evtData.context || editor.editable().getName(),
@@ -99,7 +99,7 @@
 			// Call the browser to help us fixing a possibly invalid HTML
 			// structure.
 			var el = editor.document.createElement( fixBin );
-			// Add fake character to workaround IE comments bug. (#3801)
+			// Add fake character to workaround IE comments bug. (http://dev.ckeditor.com/ticket/3801)
 			el.setHtml( 'a' + data );
 			data = el.getHtml().substr( 1 );
 
@@ -128,7 +128,7 @@
 			data = CKEDITOR.htmlParser.fragment.fromHtml( data, evtData.context, fixBodyTag );
 
 			// The empty root element needs to be fixed by adding 'p' or 'div' into it.
-			// This avoids the need to create that element on the first focus (#12630).
+			// This avoids the need to create that element on the first focus (http://dev.ckeditor.com/ticket/12630).
 			if ( fixBodyTag ) {
 				fixEmptyRoot( data, fixBodyTag );
 			}
@@ -163,7 +163,7 @@
 		editor.on( 'toDataFormat', function( evt ) {
 			var data = evt.data.dataValue;
 
-			// #10854 - we need to strip leading blockless 
 which FF adds
+			// http://dev.ckeditor.com/ticket/10854 - we need to strip leading blockless 
 which FF adds
 			// automatically when editable contains only non-editable content.
 			// We do that for every browser (so it's a constant behavior) and
 			// not in BR mode, in which chance of valid leading blockless 
 is higher.
@@ -192,7 +192,7 @@
 			data.writeChildrenHtml( writer );
 			data = writer.getHtml( true );
 
-			// Restore those non-HTML protected source. (#4475,#4880)
+			// Restore those non-HTML protected source. (http://dev.ckeditor.com/ticket/4475,http://dev.ckeditor.com/ticket/4880)
 			data = unprotectRealComments( data );
 			data = unprotectSource( data, editor );
 
@@ -448,7 +448,7 @@
 				return false;
 
 			// 1. For IE version >=8,  empty blocks are displayed correctly themself in wysiwiyg;
-			// 2. For the rest, at least table cell and list item need no filler space. (#6248)
+			// 2. For the rest, at least table cell and list item need no filler space. (http://dev.ckeditor.com/ticket/6248)
 			if ( !isOutput && !CKEDITOR.env.needsBrFiller &&
 				( document.documentMode > 7 ||
 					block.name in CKEDITOR.dtd.tr ||
@@ -484,7 +484,7 @@
 	}
 
 	// Regex to scan for   at the end of blocks, which are actually placeholders.
-	// Safari transforms the   to \xa0. (#4172)
+	// Safari transforms the   to \xa0. (http://dev.ckeditor.com/ticket/4172)
 	var tailNbspRegex = /(?: |\xa0)$/;
 
 	var protectedSourceMarker = '{cke_protected}';
@@ -563,18 +563,35 @@
 			// active in the editing area (IE|WebKit).
 			[ ( /^on/ ), 'data-cke-pa-on' ],
 
+			// Prevent iframe's srcdoc attribute from being evaluated in the editable.
+			[ ( /^srcdoc/ ), 'data-cke-pa-srcdoc' ],
+
 			// Don't let some old expando enter editor. Concerns only IE8,
 			// but for consistency remove on all browsers.
 			[ ( /^data-cke-expando$/ ), '' ]
-		]
+		],
+
+		elements: {
+			// Prevent iframe's src attribute with javascript code or data protocol from being evaluated in the editable.
+			iframe: function( element ) {
+				if ( element.attributes && element.attributes.src ) {
+
+					var src = element.attributes.src.toLowerCase().replace( /[^a-z]/gi, '' );
+					if ( src.indexOf( 'javascript' ) === 0 || src.indexOf( 'data' ) === 0 ) {
+						element.attributes[ 'data-cke-pa-src' ] = element.attributes.src;
+						delete element.attributes.src;
+					}
+				}
+			}
+		}
 	};
 
-	// Disable form elements editing mode provided by some browsers. (#5746)
+	// Disable form elements editing mode provided by some browsers. (http://dev.ckeditor.com/ticket/5746)
 	function protectReadOnly( element ) {
 		var attrs = element.attributes;
 
 		// We should flag that the element was locked by our code so
-		// it'll be editable by the editor functions (#6046).
+		// it'll be editable by the editor functions (http://dev.ckeditor.com/ticket/6046).
 		if ( attrs.contenteditable != 'false' )
 			attrs[ 'data-cke-editable' ] = attrs.contenteditable ? 'true' : 1;
 
@@ -602,7 +619,7 @@
 				}
 			},
 
-			// Remove empty link but not empty anchor. (#3829, #13516)
+			// Remove empty link but not empty anchor. (http://dev.ckeditor.com/ticket/3829, http://dev.ckeditor.com/ticket/13516)
 			a: function( element ) {
 				var attrs = element.attributes;
 
@@ -641,7 +658,7 @@
 					if ( attribs[ 'data-cke-temp' ] )
 						return false;
 
-					// Remove duplicated attributes - #3789.
+					// Remove duplicated attributes - http://dev.ckeditor.com/ticket/3789.
 					var attributeNames = [ 'name', 'href', 'src' ],
 						savedAttributeName;
 					for ( var i = 0; i < attributeNames.length; i++ ) {
@@ -653,7 +670,7 @@
 				return element;
 			},
 
-			// The contents of table should be in correct order (#4809).
+			// The contents of table should be in correct order (http://dev.ckeditor.com/ticket/4809).
 			table: function( element ) {
 				// Clone the array as it would become empty during the sort call.
 				var children = element.children.slice( 0 );
@@ -712,7 +729,7 @@
 			title: function( element ) {
 				var titleText = element.children[ 0 ];
 
-				// Append text-node to title tag if not present (i.e. non-IEs) (#9882).
+				// Append text-node to title tag if not present (i.e. non-IEs) (http://dev.ckeditor.com/ticket/9882).
 				!titleText && append( element, titleText = new CKEDITOR.htmlParser.text() );
 
 				// Transfer data-saved title to title tag.
@@ -733,7 +750,7 @@
 
 	if ( CKEDITOR.env.ie ) {
 		// IE outputs style attribute in capital letters. We should convert
-		// them back to lower case, while not hurting the values (#5930)
+		// them back to lower case, while not hurting the values (http://dev.ckeditor.com/ticket/5930)
 		defaultHtmlFilterRulesForAll.attributes.style = function( value ) {
 			return value.replace( /(^|;)([^\:]+)/g, function( match ) {
 				return match.toLowerCase();
@@ -741,7 +758,7 @@
 		};
 	}
 
-	// Disable form elements editing mode provided by some browsers. (#5746)
+	// Disable form elements editing mode provided by some browsers. (http://dev.ckeditor.com/ticket/5746)
 	function unprotectReadyOnly( element ) {
 		var attrs = element.attributes;
 		switch ( attrs[ 'data-cke-editable' ] ) {
@@ -773,7 +790,7 @@
 		//
 		// 	'data-x' => '<a href="X"'
 		//
-		// which, can be easily filtered out (#11508).
+		// which, can be easily filtered out (http://dev.ckeditor.com/ticket/11508).
 		protectAttributeRegex = /([\w-:]+)\s*=\s*(?:(?:"[^"]*")|(?:'[^']*')|(?:[^ "'>]+))/gi,
 		protectAttributeNameRegex = /^(href|src|name)$/i;
 
@@ -790,8 +807,8 @@
 	function protectAttributes( html ) {
 		return html.replace( protectElementRegex, function( element, tag, attributes ) {
 			return '<' + tag + attributes.replace( protectAttributeRegex, function( fullAttr, attrName ) {
-				// Avoid corrupting the inline event attributes (#7243).
-				// We should not rewrite the existed protected attributes, e.g. clipboard content from editor. (#5218)
+				// Avoid corrupting the inline event attributes (http://dev.ckeditor.com/ticket/7243).
+				// We should not rewrite the existed protected attributes, e.g. clipboard content from editor. (http://dev.ckeditor.com/ticket/5218)
 				if ( protectAttributeNameRegex.test( attrName ) && attributes.indexOf( 'data-cke-saved-' + attrName ) == -1 )
 					return ' data-cke-saved-' + fullAttr + ' data-cke-' + CKEDITOR.rnd + '-' + fullAttr;
 
@@ -880,7 +897,7 @@
 			//