Anyone of you know about this? Tbh I did not give much thought into this since CKEditor is a third party API and I expected it to be functioning and secure when it was implemented. If so, what are the ways to fix the problem? Use it together with HTML purifier?
Anytime users are allowed to add HTML to a site via front-end widget there is an opportunity for an XSS attack. Many clients require/request the ability to enter HTML directly either directly or indirectly through a widget such as; CKEditor. In more cases than not this should be behind authentication. You shouldn’t allow users who don’t have a vested interest in the site and/or company the flexibility to add any HTML they want. General public users should either be limited to a small set of HTML tags, bbcode, or plain text. However, in theory site admins *should have full flexibility to an extent. Though it is always a fine line when providing any none-developer to much power. Particularly those who don’t know their limits. From what I recall CKEditor has a server-side counterpart that can be to limit certain tags from being valid input. Though I haven’t messed around with the inner workings/configuration of CKEditor in a while.
FCKEditor had an upload component that wasn’t sanitizing stuff correctly which was also a major issue but I think that was addressed a few years ago. As noted a public-facing HTML editor is a fundamental security risk; MarkDown is really the way to fly.
I see, thanks for the response guys. It seems that my application was initially safer with HTML purifier but then it was removed since it was malfunctioning after a few updates. Could the lack/deactivation of HTML purifier be the cause of security holes? Does it solve the problem completely if HTML purifier is enabled/working again? And if not, what else do I have to do to ensure safety for this kind of WYSIWYG editors(stripping <script> tags maybe)?
Use something like markdown which strips out all HTML and builds it’s own non-html formatting is the safest bet. Anything else you are just playing with fire IMHO.