Jump to content

Disallow href="javascript:*" in CKEditor


DrQuincy
 Share

Recommended Posts

I use CKeditor 4, the same as PW, in other projects and have noticed it allows <a href="javascript:alert(document.cookie)">.

Does anyone know how I can use config to disallow any hrefs that start with javascript:? It's fine in PW as HTML Purifier seems to catch it but I wondered for other projects. There is an option config.linkJavaScriptLinksAllowed but it only applies to the link dialog.

I'm sure it must be doable with regex in config.allowedContent but I'm drawing a blank.

Thanks.

Link to comment
Share on other sites

I don't think it's possible to use regex in config.allowedContent, but this seems to do the job:

CKEDITOR.on('instanceReady', function(event) {
	var rules = {
		elements: {
			a: function(element) {
				// If a link href starts with 'javascript:'...
				if(element.attributes.href.substring(0, 11).toLowerCase() === 'javascript:') {
					// ...then the href is invalid so remove the link
					delete element.name;
				}
			}
		}
	};
	event.editor.dataProcessor.htmlFilter.addRules(rules);
	event.editor.dataProcessor.dataFilter.addRules(rules);
});

 

  • Like 1
Link to comment
Share on other sites

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...