"on" replaced by "data-cke-671a164ccbf7b-on" in CKEditor

[ywarnier]

1.11.28 (just released) came with many security fixes, one of them being to filter "on(event)" words in any HTML edited through CKEditor.
However, this filter was too wide and actually replaced all "on" words preceded by a space by something like "data-cke-671a164ccbf7b-on", which is a big issue.

This stems from this commit: df47eac which added the "attr_on_filter()" method, which is not strict enough.

We are working on a fix.

[ywarnier]

Given it's a filter on attributes, the regular expression should at least ensure it is withing an HTML tag or (because this might not cover enough) ensure that it checks for a given number of known events from the JavaScript language (this is limited because this might change over time) or to just try and recognize a syntax where the event can be declared as any text contained between "on" and "=", but this might also be too wide and trap any text contained between an "on" word and an equal sign.

[ywarnier]

The patch above might still cause issue (mostly in the English language) if a text contains some formula that has " on[something] =" in it, but we assume cases like this will be limited.

[ywarnier]

The fix is just one line to change in Chamilo's code, but we're preparing a corrective release to make sure this is included.

[ywarnier]

In the meantime, try to avoid the "on" word with a space/separation marker in front in anything edited through the WYSIWYG editor.

[AngelFQC]

After 3e2582f

• Remove On* attributes single quotes

 on onion onboard <img src="image.jpg" onclick='alert("click!")'>
 on onion onboard <img src="image.jpg">

• Remove On* attributes double quotes

 on onion onboard <img src="image.jpg" onmouseover="alert('hover!')">
 on onion onboard <img src="image.jpg">

• Remove On* attributes no quotes

 on onion onboard <img src="image.jpg" onerror=alert(1)>
 on onion onboard <img src="image.jpg">

• No On* attributes

 on onion onboard <img src="image.jpg" alt="An image">
 on onion onboard <img src="image.jpg" alt="An image">

• Remove multiple On* attributes

 on onion onboard <img src="image.jpg" onclick="alert('click!')" onmouseover="alert('hover!')" alt="Image">
 on onion onboard <img src="image.jpg" alt="Image">

• Remove mixed On* attributes

<div class="container" onload="init()" onfocus="focusHandler()">on onion onboard <img src="image.jpg" onclick="alert('click!')"></div>
<div class="container">on onion onboard <img src="image.jpg"></div>

[ywarnier]

The latest fixes seem to have solved it for everyone. Thanks.