Feature #102447
openPrevent information disclosure from Only Office by copy-paste of text with "docData;DOCY" blobs in RTE / ckeditor
0%
Description
This seems to be already fixed in ckeditor: https://github.com/ckeditor/ckeditor5/issues/14947
We have found blobs in the class attributes of HTML elements on some pages. These blobs seem to contain metadata from the document from which the content was copied. If you take the blob and decode it with base64 and encode the result as 'utf-16' you can read some text fragments. These fragments can contain chat, comments or parts of the onlyoffice document, which would result in a leak of data.
However I am not sure which version and which versions of ckeditor and TYPO3 will have this fix.
Perhaps it is also possible to remove these when the CE is saved by default (RTE post-processing) to also remove already existing ones.
This is a problem because:
- sensitive information might get accidentally disclosed (unfortunately often editors are not even aware what they are copy-pasting into the RTE).
- it bloats up the DB tables which is unnecessary and might have a performance / storage usage impact (in extreme cases)
- it clutters up the visible history (sys_history view in BE)
I have seen this in our site which uses latest TYPO3 v11.
No data to display