SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Addict
    Join Date
    Jul 2007
    Posts
    223
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    CKEditor WYSIWYG: Users allowed to insert JavaScript - Safe or not?

    Greetings,

    I have a site where visitors can write posts using CKEditor, which is a WYSIWYG editor. Right now, it allows members to write HTML/CSS in the source code along with text so they can create formatted posts. In addition, members can also post JavaScript in there as well.

    Is there any kind of security risk with allowing 3rd party members to post JavaScript using CKEditor? If so, how can I prevent members from posting JavaScript, but still allow HTML/CSS using CKEditor?

    Thanks

  2. #2
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,604
    Mentioned
    19 Post(s)
    Tagged
    2 Thread(s)
    peppy,

    I got hacked some time ago and the attack vector was to upload a javacript at the beginning of certain files. That code went to their website for the spamming code and was difficult to find (maldet was a massive help to track down all instances across subdomains [addons]). IMHO, allowing ANY HTML code is a major error and offers an easy avenue of attack. In other words, been there, done that and you don't want to make that any easier than hacking passwords (the presumed entry point).

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  3. #3
    SitePoint Addict
    Join Date
    Jul 2007
    Posts
    223
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for the response. Our site acts similar to craigslist where they make a post and it gets inserted into a section within the <body> of the page, so they wouldn't have access to the headers or beginning of the files.

    I know ckeditor has some kind of filter, so maybe there is a way to single out and strip <script> code.

    Why would it be bad to include HTML for styling the listing like eBay does, even when all <script> is removed?

    Thanks
    Kind regards

  4. #4
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,604
    Mentioned
    19 Post(s)
    Tagged
    2 Thread(s)
    peppy,

    Since <script> tags can be put within the <body>, the location makes no difference.

    Do you want <div> and <iframe> tags, too? It's just too many ways to mess-up your page if you allow HTML tags.

    For my clients, I've written something like your ckeditor but have it add code like SitePoint uses. Try making parts of your text bold or italic - that's what I've done and it works fine (safe).

    If you can envision all the various nonsense that hackers can use (like encoding < as &lt; or %3c), then MAYBE you can outguess ALL the hackers attempts to use your site as a launching pad for SPAM (and other exploits). IMHO, it's not worth the effort. Learn from SitePoint's code.

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  5. #5
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    16,444
    Mentioned
    160 Post(s)
    Tagged
    1 Thread(s)
    I agree. Instead of trying to figure out what tags to not allow, think about what to allow. i.e. put together a set of tags you think would be good to have, create bbcode tags for them, and limit users to those. Allowing HTML and/or CSS is an invitation to trouble and allowing script will certaimly bring problems.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •