Home > database >  Prevent XSS in CKEditor
Prevent XSS in CKEditor

Time:01-22

I want to save my application from attack so I wanted to disable any type of execution in my CKEditor config, so I found a solution that is allowContent: false which prevents the <scripts> tags inside CKEditor but after putting <p><a href="javascript:(alert(document.domain))">XSS</a></p> in the CKEditor so it executes the js inside href.

config

config = {
   ...,
   allowContent: false
}

now the below script doesn't work after putting the above config:

<script>alert(1)</script>

I also wanted to prevent below js inside href but currently, it executing

<p><a href="javascript:(alert(document.domain))">XSS</a></p>

CodePudding user response:

You have to sanitize the data inputed to the CKEditor. The config.htmlEmbed.sanitizeHtml of CKEditor option allows plugging an external sanitizer.

In my opinion, the best sanitizer available for now is DOMPurify library.

Here is more info on including DOMPurify in CKEditor: more info.

In my opinion, it is very hard to secure CKEditor "by yourself", so better use sanitizer. There was some security issues in this software, an interesting example described here: CKEditor XSS

Page link:https//www.codepudding.com/database/271775.html

Prev:Removing duplicate parameters from post or URL
Next:How to verify if the image contains noise in background before ‘OCR’ing
  •  Tags:  
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding