DrQuincy Posted October 23, 2020 Share Posted October 23, 2020 I use CKeditor 4, the same as PW, in other projects and have noticed it allows <a href="javascript:alert(document.cookie)">. Does anyone know how I can use config to disallow any hrefs that start with javascript:? It's fine in PW as HTML Purifier seems to catch it but I wondered for other projects. There is an option config.linkJavaScriptLinksAllowed but it only applies to the link dialog. I'm sure it must be doable with regex in config.allowedContent but I'm drawing a blank. Thanks. Link to comment Share on other sites More sharing options...
Robin S Posted October 23, 2020 Share Posted October 23, 2020 I don't think it's possible to use regex in config.allowedContent, but this seems to do the job: CKEDITOR.on('instanceReady', function(event) { var rules = { elements: { a: function(element) { // If a link href starts with 'javascript:'... if(element.attributes.href.substring(0, 11).toLowerCase() === 'javascript:') { // ...then the href is invalid so remove the link delete element.name; } } } }; event.editor.dataProcessor.htmlFilter.addRules(rules); event.editor.dataProcessor.dataFilter.addRules(rules); }); 1 Link to comment Share on other sites More sharing options...
DrQuincy Posted October 26, 2020 Author Share Posted October 26, 2020 Thanks, I'll give it a go when I am in the office later! Do you think it is odd it allows this by default but disallows it in the link dialog? Is there a reason for it or is it an oversight? Link to comment Share on other sites More sharing options...
DrQuincy Posted October 27, 2020 Author Share Posted October 27, 2020 This is great. I have just added .trim() so that it picks up on href=" javascript:alert('');" too. if (element.attributes.href.trim().substring(0, 11).toLowerCase() === 'javascript:') { Thanks again. ? 1 Link to comment Share on other sites More sharing options...
Recommended Posts