hall_of_famer — 2013-12-23T12:11:54-05:00 — #1
Anyone of you know about this? Tbh I did not give much thought into this since CKEditor is a third party API and I expected it to be functioning and secure when it was implemented. If so, what are the ways to fix the problem? Use it together with HTML purifier?
oddz — 2013-12-23T12:37:42-05:00 — #2
Anytime users are allowed to add HTML to a site via front-end widget there is an opportunity for an XSS attack. Many clients require/request the ability to enter HTML directly either directly or indirectly through a widget such as; CKEditor. In more cases than not this should be behind authentication. You shouldn't allow users who don't have a vested interest in the site and/or company the flexibility to add any HTML they want. General public users should either be limited to a small set of HTML tags, bbcode, or plain text. However, in theory site admins *should have full flexibility to an extent. Though it is always a fine line when providing any none-developer to much power. Particularly those who don't know their limits. From what I recall CKEditor has a server-side counterpart that can be to limit certain tags from being valid input. Though I haven't messed around with the inner workings/configuration of CKEditor in a while.
wwb_99 — 2013-12-24T02:40:14-05:00 — #3
FCKEditor had an upload component that wasn't sanitizing stuff correctly which was also a major issue but I think that was addressed a few years ago. As noted a public-facing HTML editor is a fundamental security risk; MarkDown is really the way to fly.
hall_of_famer — 2014-01-01T13:21:13-05:00 — #4
I see, thanks for the response guys. It seems that my application was initially safer with HTML purifier but then it was removed since it was malfunctioning after a few updates. Could the lack/deactivation of HTML purifier be the cause of security holes? Does it solve the problem completely if HTML purifier is enabled/working again? And if not, what else do I have to do to ensure safety for this kind of WYSIWYG editors(stripping <script> tags maybe)?
wwb_99 — 2014-01-03T16:09:58-05:00 — #5
Use something like markdown which strips out all HTML and builds it's own non-html formatting is the safest bet. Anything else you are just playing with fire IMHO.