Reputation: 1127
CKEditor XSS clean
I've web-project, where I allow users to use CKEditor, and thats why I need to secure me from any XSS. How do I minimise any risks of being "attacked" with XSS?
I don't know if this will be enough, I guess no:
strip_tage(Input::get('text'), '<p><a><h1><h2>');
So question is how to be XSS Clean from CKEditor on server-side and what I need to do on CKEditor side, which plugins to remove (as I removed source code plugin, maybe I also should remove styles plugin??)???
Upvotes: 1
Views: 3493
Answers (1)
Reputation: 12197
Use HTML Purifier.
It was created specifically for sanitizing HTML and fixing invalid markup such as incorrectly nested tags or unescaped special characters.
It doesn't matter what plugins you remove from CKEditor, a malicious user can completely bypass CKEditor and submit any string they want.
strip_tags with $allowable_tags doesn't offer good enough protection from XSS, because scripts and styles can be embedded in tag attributes such as href, onmouseover, onerror, etc. It's also possible to reuse some of the application styles and scripts by adding id and class attributes.
Upvotes: 5
Related Questions
- CKEditor automatically removes style attribute and add xss attribute 'Removed'
- Prevent XSS in CKEditor
- Use the CKEditor built-in whitelist engine to sanitize HTML in JavaScript
- CKEditor is escaping html elements
- trouble with ckeditor and javascript
- trouble with CKEDITOR and a javascript function
- Why does my CKEditor add garbage code?
- xss prevention with ckeditor
- CKEditor security best practices
- Client-side Javascript code to strip bogus HTML from CKEditor