WYSIWYG Editor JS Insertion

Get first access to testing new builds and betas for LastPass

Moderators: admin, anatoly_LP, chantieLP, JoeSiegrist, robyn

WYSIWYG Editor JS Insertion

Postby Ames » Wed Jan 21, 2009 6:15 pm

I was using a wysiwyg editor and I noticed some javascript kept getting inserted into it. I was in FF. It's Interspires Email Marketer. Here is what was getting inserted.


<html>
<head>
<script>
try { for(var lastpass_iter=0; lastpass_iter < document.forms.length; lastpass_iter++){ var lastpass_f = document.forms[lastpass_iter]; if(typeof(lastpass_f.lpsubmitorig)=="undefined"){ if (typeof(lastpass_f.submit) == "function") { lastpass_f.lpsubmitorig = lastpass_f.submit; lastpass_f.submit = function(){ var form = this; try { if (document.documentElement && 'createEvent' in document) { var forms = document.getElementsByTagName('form'); for (var i=0 ; i<forms.length ; ++i) if (forms[i]==form) { var element = document.createElement('lpformsubmitdataelement'); element.setAttribute('formnum',i); element.setAttribute('from','submithook'); document.documentElement.appendChild(element); var evt = document.createEvent('Events'); evt.initEvent('lpformsubmit',true,false); element.dispatchEvent(evt); break; } } } catch (e) {} try { form.lpsubmitorig(); } catch (e) {} } } } }} catch (e) {}</script>
</head>
<body>
<br/>
</body>
</html>
Ames
 
Posts: 27
Joined: Tue Aug 26, 2008 2:05 am

Re: WYSIWYG Editor JS Insertion

Postby JoeSiegrist » Wed Jan 21, 2009 11:05 pm

Ames Wrote:I was using a wysiwyg editor and I noticed some javascript kept getting inserted into it. I was in FF. It's Interspires Email Marketer. Here is what was getting inserted.


Are you seeing it in a 'View Generated Source' or is this in the actual wysiwyg contents? We'd expect the former, we wouldn't expect the latter.

Is there a way we can login to see this? If you're willing to change your password then share the account with joe@lastpass.com it would be a big help.

Thanks,

Joe
JoeSiegrist
 
Posts: 4185
Joined: Wed Aug 20, 2008 10:40 am

Re: WYSIWYG Editor JS Insertion

Postby Ames » Wed Jan 21, 2009 11:32 pm

JoeSiegrist Wrote:
Ames Wrote:I was using a wysiwyg editor and I noticed some javascript kept getting inserted into it. I was in FF. It's Interspires Email Marketer. Here is what was getting inserted.


Are you seeing it in a 'View Generated Source' or is this in the actual wysiwyg contents? We'd expect the former, we wouldn't expect the latter.

Is there a way we can login to see this? If you're willing to change your password then share the account with joe@lastpass.com it would be a big help.

Thanks,

Joe

Yes it's when I flip to the source view. They have a free demo if you want to try it.

http://www.interspire.com/emailmarketer/demo.php
Ames
 
Posts: 27
Joined: Tue Aug 26, 2008 2:05 am

Re: WYSIWYG Editor JS Insertion

Postby bill10351184 » Fri Feb 06, 2015 1:20 pm

Also seeing this happen in Silverpop, switching from "Design View" to "Source View". It seems to insert this script block every time.

Code: Select All Code
<script type="text/javascript">try {
        for (var lastpass_iter = 0; lastpass_iter < document.forms.length; lastpass_iter++) {
            var lastpass_f = document.forms[lastpass_iter];
            if (typeof(lastpass_f.lpsubmitorig) == "undefined") {
                if (typeof(lastpass_f.submit) == "function") {
                    lastpass_f.lpsubmitorig = lastpass_f.submit;
                    lastpass_f.submit = function () {
                        var form = this;
                        try {
                            if (document.documentElement && 'createEvent' in document) {
                                var forms = document.getElementsByTagName('form');
                                for (var i = 0; i < forms.length; ++i)                if (forms[i] == form) {
                                    var element = document.createElement('lpformsubmitdataelement');
                                    element.setAttribute('formnum', i);
                                    element.setAttribute('from', 'submithook');
                                    document.documentElement.appendChild(element);
                                    var evt = document.createEvent('Events');
                                    evt.initEvent('lpformsubmit', true, false);
                                    element.dispatchEvent(evt);
                                    break;
                                }
                            }
                        } catch (e) {
                        }
                        try {
                            form.lpsubmitorig();
                        } catch (e) {
                        }
                    }
                }
            }
        }
    } catch (e) {
    }</script>
bill10351184
 
Posts: 1
Joined: Fri Feb 06, 2015 1:13 pm

Re: WYSIWYG Editor JS Insertion

Postby dmitrijLP » Sun Feb 15, 2015 12:36 pm

bill10351184 Wrote:Also seeing this happen in Silverpop, switching from "Design View" to "Source View". It seems to insert this script block every time.

Code: Select All Code
<script type="text/javascript">try {
        for (var lastpass_iter = 0; lastpass_iter < document.forms.length; lastpass_iter++) {
            var lastpass_f = document.forms[lastpass_iter];
            if (typeof(lastpass_f.lpsubmitorig) == "undefined") {
                if (typeof(lastpass_f.submit) == "function") {
                    lastpass_f.lpsubmitorig = lastpass_f.submit;
                    lastpass_f.submit = function () {
                        var form = this;
                        try {
                            if (document.documentElement && 'createEvent' in document) {
                                var forms = document.getElementsByTagName('form');
                                for (var i = 0; i < forms.length; ++i)                if (forms[i] == form) {
                                    var element = document.createElement('lpformsubmitdataelement');
                                    element.setAttribute('formnum', i);
                                    element.setAttribute('from', 'submithook');
                                    document.documentElement.appendChild(element);
                                    var evt = document.createEvent('Events');
                                    evt.initEvent('lpformsubmit', true, false);
                                    element.dispatchEvent(evt);
                                    break;
                                }
                            }
                        } catch (e) {
                        }
                        try {
                            form.lpsubmitorig();
                        } catch (e) {
                        }
                    }
                }
            }
        }
    } catch (e) {
    }</script>


Not entirely sure on the actual code functionality, but try adding your URL to Never URLs to see if restricting LastPass functionality will no longer generate the following source code:

https://helpdesk.lastpass.com/account-s ... Never+URLs

Kind regards,
Dmitrij
dmitrijLP
 
Posts: 1332
Joined: Mon Jun 23, 2014 8:46 am

Re: WYSIWYG Editor JS Insertion

Postby MagnusA » Sun Oct 09, 2016 9:39 am

Did anyone figure out what this code actually does?
I have seen it on other pages that I browse.

Is it some kind of phishing technique for lastpass forms?
MagnusA
 
Posts: 1
Joined: Sun Oct 09, 2016 9:38 am


Return to LastPass PreBuild & Beta

Who is online

Users browsing this forum: No registered users and 0 guests