Dangerous behavior disallowedcontent let me insert js in some case

Question

I'm trying to let my user can paste some html tag in their post by using ckeditor.

But I have blacklisted some of them like script for example for avoiding XSS attack.

Here is part of my config.js

 '...'
    config.allowedContent = {
        $1: {
            elements: CKEDITOR.dtd,
            attributes: true,
            styles: true,
            classes: true
        }
    };
    config.disallowedContent = 'script;';
 '...'
config.toolbar_mini = [
        { name: 'paragraph', groups: ['blocks', 'align', 'bidi' ], items: ['Blockquote', 'CreateDiv', '-', 'JustifyLeft', 'JustifyCenter', 'JustifyRight', 'JustifyBlock' ] },
        { name: 'styles', items: [ 'Font', 'FontSize' ] },
        { name: 'colors', items: [ 'TextColor', 'BGColor' ] },
        { name: 'basicstyles', groups: [ 'basicstyles', 'cleanup' ], items: [ 'Bold', 'Italic', 'Underline', 'Strike', '-', 'RemoveFormat' ] },
        { name: 'insert', items: [ 'Imgur', 'tliyoutube2', 'linkfile', 'Source'] },
    ];

When I click on Source for adding html tag and add <script>alert('test')</script then I click on Source for adding non-html content and submit my post. CKEDITOR will remove the script tag correctly as I expected.

But if do the same:

Click on Source then add my script tag <script>alert('test')</script> and submit the post without being out of Source mode. The script is saved in my DB and executed.

Also if I try to edit this message and go on Source mode CKEDITOR disable this script tag.

Obviously I have to create validator on my backend for avoiding this. But I don't think this the correct behavior of disallowedContent or if it is then I don't understand why.

Did I missconfigure my CKEDITOR or is it the correct behavior ?

Answer 1

It seems that Source mode doesn't implement filtering: https://github.com/ckeditor/ckeditor-dev/issues/2326

I would disable Source plugin or prevent the submission while in Source mode.