Cute Editor injecting code from Firefox add-ins

Last post 03-15-2010, 12:31 PM by Adam. 7 replies.
Sort Posts: Previous Next
  •  03-10-2010, 10:20 AM 59305

    Cute Editor injecting code from Firefox add-ins

    Hello,

    I'm a software developer working on a web application that uses CuteEditor as its WYSIWYG editor for web page layout. For reasons unknown to me,various firefox plug-ins (http://www.lastpass.com and the Skype plugin so far that I've seen) are  injecting  javascript code into the HTML when I go into CuteEditor's HTML edit mode.  Here's an example from Lastpass:


    1. <script>try { for(var lastpass_iter=0; lastpass_iter < document.forms.length; lastpass_iter++){ var lastpass_f = document.forms[lastpass_iter]; if(typeof(lastpass_f.lpsubmitorig)=="undefined"){ if (typeof(lastpass_f.submit) == "function") { lastpass_f.lpsubmitorig = lastpass_f.submit; lastpass_f.submit = function(){ var form = thistry { if (document.documentElement && 'createEvent' in document) { var forms = document.getElementsByTagName('form'); for (var i=0 ; i<forms.length ; ++i) if (forms[i]==form) { var element="document.createElement('lpformsubmitdataelement');" element.setAttribute('formnum',i); element.setAttribute('from','submithook'); document.documentElement.appendChild(element); var evt="document.createEvent('Events');" evt.initEvent('lpformsubmit',true,false); element.dispatchEvent(evt); break; } } } catch (e) {} try { form.lpsubmitorig(); } catch (e) {} } } } }} catch (e) {}</script> 


    I really have no idea what's going on here but it's obviously a real problem for us and our applictaion. Can anyone comment on this?  It's obviously an issue with CE and firefox since it happens with multiple add-ins.

    Thanks,

    Jonathan
  •  03-10-2010, 4:07 PM 59314 in reply to 59305

    Re: Cute Editor injecting code from Firefox add-ins

    Jonathan,
     
    If you set Editor.EnableStripScriptTags Property to true, can editor remove the above code?

    asp.net Chat http://cutesoft.net/ASP.NET+Chat/default.aspx
    Web Messenger: http://cutesoft.net/Web-Messenger/default.aspx
    asp.net wysiwyg editor: http://cutesoft.net/ASP.NET+WYSIWYG+Editor/default.aspx
    asp wysiwyg html editor: http://cutesoft.net/ASP
    asp.net Image Gallery: http://cutesoft.net/ASP.NET+Image+Gallery/default.aspx
    Live Support: http://cutesoft.net/live-support/default.aspx

  •  03-11-2010, 9:20 PM 59347 in reply to 59314

    Re: Cute Editor injecting code from Firefox add-ins

    Yes that does remove the offending code, of course along with all the javascript I actually DO want to be there.
     
    So what now?
     
    Jonathan
  •  03-12-2010, 10:31 AM 59364 in reply to 59347

    Re: Cute Editor injecting code from Firefox add-ins

    vanclute:
    Yes that does remove the offending code, of course along with all the javascript I actually DO want to be there.
     
    So what now?
     
    Jonathan
     
    Ok.
     
    We cannot Skype plug-ins adding code to editor. But we can remove the code after it is added into editor.
     
    Please check the following article and write a customized html filter to remove all Skype related code.
     
     
    Hope it helps.
     
    Keep me posted

    asp.net Chat http://cutesoft.net/ASP.NET+Chat/default.aspx
    Web Messenger: http://cutesoft.net/Web-Messenger/default.aspx
    asp.net wysiwyg editor: http://cutesoft.net/ASP.NET+WYSIWYG+Editor/default.aspx
    asp wysiwyg html editor: http://cutesoft.net/ASP
    asp.net Image Gallery: http://cutesoft.net/ASP.NET+Image+Gallery/default.aspx
    Live Support: http://cutesoft.net/live-support/default.aspx

  •  03-12-2010, 11:32 AM 59369 in reply to 59364

    Re: Cute Editor injecting code from Firefox add-ins

    I don't see how that's helpful at all, I can't simply remove all <script> tags as I need my users to be able to place javascript in their templates.  This solution would prevent that completely.
     
    I need a solution that prevents third party applications from injecting code into your editor.  That doesn't seem like too much to ask as they shouldn't be able to do it in the first place.
     
    Jonathan
     
    EDIT:  Please remember that this is not a Skype issue.  This happens with LastPass as well as Skype, and probably others that we just haven't seen as well.  There is no way to determine who's code we would be removing by HTML tags.
  •  03-12-2010, 2:06 PM 59376 in reply to 59369

    Re: Cute Editor injecting code from Firefox add-ins

    Some additional info...
     
    If I use the FF add-in "Web Developer" I can view the actual generated source code of the page.  Thi s is showing me that any add-in that manipulates page content, such as the Skype or LastPass add-ins in this case, inserts javascript into the <head> area of the page dynamically behind the scenes.  For some reason however they are ALSO injecting it into the <head> area of any code that is in the CE HTML editor view.
     
    Obviously these add-ins have to do what they do by design in order to work.  I suppose one could argue that the bug is in the add-ins, but they are working as designed, so either the bug is in FireFox itself, or CE.  Either way, CE should somehow prevent any outside code from inserting itself into their editor.
     
    We are going to try some things on our end to see if somehow we can prevent this, but I'm not very optimistic about them working.
     
    Any other solution ideas?  Does this need to be brought to the attention of the mozilla people?
     
    Jonathan
  •  03-14-2010, 12:46 PM 59385 in reply to 59376

    Re: Cute Editor injecting code from Firefox add-ins

    Our attempts at fixing this have failed.  We are instead going to remove the CE HTML edit mode completely from our application, instead offering a simple <TEXTAREA> for people to work in if they need to edit HTML.  Of course this means we are giving up any of the CE features such as find/replace, etc. which is unfortunate, but since no workable solution has presented itself here, it's our only option unless we want to start looking at other editors again.
     
    This is an extremely serious problem, and is only one of a number of very serious problems we've encountered with the HTML mode in CE (it can completely destroy your code if you do a lot with PHP in the code, which our users do).  No response ever came to my support request delivered through your website a week ago, and no solution has come up here either.  I'm quite disappointed overall and am beginning to wonder if it was a mistake purchasing CE.
     
    Jonathan
  •  03-15-2010, 12:31 PM 59402 in reply to 59369

    Re: Cute Editor injecting code from Firefox add-ins

    vanclute:
    I don't see how that's helpful at all, I can't simply remove all <script> tags as I need my users to be able to place javascript in their templates.  This solution would prevent that completely.
     
    I need a solution that prevents third party applications from injecting code into your editor.  That doesn't seem like too much to ask as they shouldn't be able to do it in the first place.
     
    Jonathan
     
    EDIT:  Please remember that this is not a Skype issue.  This happens with LastPass as well as Skype, and probably others that we just haven't seen as well.  There is no way to determine who's code we would be removing by HTML tags.
     
    vanclute,
     
    I don't mean to ask you to remove all javascript code. There are must be some differences between your own javascript code and the code inserted by Skype.

    The customzied code filter allows you write a regular expression. You can use it to remove any code you don't like.
     
    The following filter remove all <form></form> tags:

     

    1. <script type="text/javascript">          
    2. function CuteEditor_FilterHTML(editor,code)       
    3. {       
    4.     return code.replace(/(<form[^\>]*\>)([\s\S]*)(\<\/form\>)/i, "$2");       
    5. }       
    6. function CuteEditor_FilterCode(editor,code)       
    7. {       
    8.     return code.replace(/(<form[^\>]*\>)([\s\S]*)(\<\/form\>)/i, "$2");       
    9. }       
    10. </script>   

     


    asp.net Chat http://cutesoft.net/ASP.NET+Chat/default.aspx
    Web Messenger: http://cutesoft.net/Web-Messenger/default.aspx
    asp.net wysiwyg editor: http://cutesoft.net/ASP.NET+WYSIWYG+Editor/default.aspx
    asp wysiwyg html editor: http://cutesoft.net/ASP
    asp.net Image Gallery: http://cutesoft.net/ASP.NET+Image+Gallery/default.aspx
    Live Support: http://cutesoft.net/live-support/default.aspx

View as RSS news feed in XML