Reputation: 11
Preventing Vulnerabilities in ckeditor?
I want prevent users from uploading shell (exploit) on my host. I remember fckeditor, had few bugs that allowed a hacker uploads files on server. Is there a similar issue with ckeditor?
How trust to users files and make sure they aren’t fake files, for example: a hacker can edit inside a pdf files -> file have pdf extension and type but has malicious code.
Is using htmlencode,htmldecode enough for XSS attack?
Upvotes: 1
Views: 1767
Answers (1)
Reputation: 12690
CKEditor doesn't include any file upload, you have to add that part.
Again, CKEditor doesn't have that part. They sell CKFinder to fill that role and it has some checks to verify that the uploaded file is safe, but you must be very careful about which users do you allow to upload files to your server.
No. If you're using a WYSIWYG editor you are not going to htmlencode the provided data, and other basic tricks aren't also enough. You need a full check like HTMLPurifier
Upvotes: 2
Related Questions
- Is data via Ckeditor safe from XSS attacks from the way I see it saved in the database?
- Prevent XSS in CKEditor
- Dangerous behavior disallowedcontent let me insert js in some case
- Preventing CKEDITOR from modifying HTML
- CKEditor XSS clean
- How to Secure Data Submitted Through CKEditor
- xss prevention with ckeditor
- CKEditor security best practices
- Is CKeditor safe for letting end-users submit content?
- How to prevent script attact in ASP.net MVC project which uses CKEditor?