Project

General

Profile

Actions

Feature #102447

open

Prevent information disclosure from Only Office by copy-paste of text with "docData;DOCY" blobs in RTE / ckeditor

Added by Sybille Peters 7 months ago.

Status:
New
Priority:
Should have
Assignee:
-
Category:
RTE (rtehtmlarea + ckeditor)
Target version:
-
Start date:
2023-11-22
Due date:
% Done:

0%

Estimated time:
PHP Version:
Tags:
docData, RTE, ckeditor, onlyoffice, information leak
Complexity:
Sprint Focus:

Description

This seems to be already fixed in ckeditor: https://github.com/ckeditor/ckeditor5/issues/14947

We have found blobs in the class attributes of HTML elements on some pages. These blobs seem to contain metadata from the document from which the content was copied. If you take the blob and decode it with base64 and encode the result as 'utf-16' you can read some text fragments. These fragments can contain chat, comments or parts of the onlyoffice document, which would result in a leak of data.

However I am not sure which version and which versions of ckeditor and TYPO3 will have this fix.

Perhaps it is also possible to remove these when the CE is saved by default (RTE post-processing) to also remove already existing ones.

This is a problem because:

  • sensitive information might get accidentally disclosed (unfortunately often editors are not even aware what they are copy-pasting into the RTE).
  • it bloats up the DB tables which is unnecessary and might have a performance / storage usage impact (in extreme cases)
  • it clutters up the visible history (sys_history view in BE)

I have seen this in our site which uses latest TYPO3 v11.

No data to display

Actions

Also available in: Atom PDF