SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Addict bronze trophy
    Join Date
    Apr 2013
    Location
    Ithaca
    Posts
    351
    Mentioned
    6 Post(s)
    Tagged
    1 Thread(s)

    CKeditor vulnerable to XSS attack?

    Anyone of you know about this? Tbh I did not give much thought into this since CKEditor is a third party API and I expected it to be functioning and secure when it was implemented. If so, what are the ways to fix the problem? Use it together with HTML purifier?

  2. #2
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2006
    Location
    Augusta, Georgia, United States
    Posts
    4,147
    Mentioned
    16 Post(s)
    Tagged
    3 Thread(s)
    Anytime users are allowed to add HTML to a site via front-end widget there is an opportunity for an XSS attack. Many clients require/request the ability to enter HTML directly either directly or indirectly through a widget such as; CKEditor. In more cases than not this should be behind authentication. You shouldn't allow users who don't have a vested interest in the site and/or company the flexibility to add any HTML they want. General public users should either be limited to a small set of HTML tags, bbcode, or plain text. However, in theory site admins *should have full flexibility to an extent. Though it is always a fine line when providing any none-developer to much power. Particularly those who don't know their limits. From what I recall CKEditor has a server-side counterpart that can be to limit certain tags from being valid input. Though I haven't messed around with the inner workings/configuration of CKEditor in a while.
    The only code I hate more than my own is everyone else's.

  3. #3
    SitePoint Author silver trophybronze trophy
    wwb_99's Avatar
    Join Date
    May 2003
    Location
    Washington, DC
    Posts
    10,629
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    FCKEditor had an upload component that wasn't sanitizing stuff correctly which was also a major issue but I think that was addressed a few years ago. As noted a public-facing HTML editor is a fundamental security risk; MarkDown is really the way to fly.

  4. #4
    SitePoint Addict bronze trophy
    Join Date
    Apr 2013
    Location
    Ithaca
    Posts
    351
    Mentioned
    6 Post(s)
    Tagged
    1 Thread(s)
    I see, thanks for the response guys. It seems that my application was initially safer with HTML purifier but then it was removed since it was malfunctioning after a few updates. Could the lack/deactivation of HTML purifier be the cause of security holes? Does it solve the problem completely if HTML purifier is enabled/working again? And if not, what else do I have to do to ensure safety for this kind of WYSIWYG editors(stripping <script> tags maybe)?

  5. #5
    SitePoint Author silver trophybronze trophy
    wwb_99's Avatar
    Join Date
    May 2003
    Location
    Washington, DC
    Posts
    10,629
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    Use something like markdown which strips out all HTML and builds it's own non-html formatting is the safest bet. Anything else you are just playing with fire IMHO.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •