Is data via Ckeditor safe from XSS attacks from the way I see it saved in the database?

Question

I've noticed when I use ckeditor and I post <script>alert('hi')</script> as my content then it's saved as the following in the database and when I visit the page with with the blog post I don't get an alert.

<p>&lt;script&gt;</p>

<p>alert(&#39;hi&#39;);</p>

<p>&lt;/script&gt;</p>

On the contrary when I post the same content without the plugin by just using textarea tag then it's saved in the database as shown below and when I visit the page with the post I get an alert.

<script>
        alert('hi');
    </script>

Does this mean data provided by user using ckeditor is safe from XSS attacks?

To display the data I have to do it this way: {!! $post->body !!} and I know laravel doesn't protect from XSS when the data is not escaped so I'm concerned about XSS in this case.

Answer 1

If you treat input from CKEditor as safe, then; No. Data provided by user using ckeditor is NOT safe from XSS attacks.

All depends on:

• Plugins used and how they were integrated
• Which buttons are activated(i.e. Source, Img, IFrame buttons)
• What elements and attributes are allowed
• Why CKEditor is being used in your application
• If input is validated and sanitized

So as an example, using the Source button (if activated) a user can input:

<script>alert(XSSvulnerability)</script>

...and the script will run once outputted if you think "data provided by user using ckeditor is safe from XSS attacks".

Considering you are using Laravel, we can also use this method to run some PHP script as well:

$a = true;
if($a){
  $this->db->query('DELETE * FROM posts');
  $this->query->execute();
}

Even if you were to use htmlspecialchars($post->body), (and this would clearly break your HTML) an HTML attribute can be used to htmlspecialchars_decode($yourVariable) and run the script.

As stated in CKEditor Best Practices guide here:

• You should only ever input clean, standards-compliant HTML code into CKEditor.
• It is a bad practice to download the Full package and then remove plugins or buttons in your configuration. You will only be loading unnecessary stuff without any good reason
• You should always use minified CKEditor versions
• If you want to install additional plugins, use online builder instead of adding them manually
• No editor features (such as Advanced Content Filter (ACF) or paste filter) should be treated as security filters. If the content that is to be loaded into CKEditor comes from untrusted sources (e.g. the users of your website), you should always filter it on the server side to avoid potential XSS issues — just like you would do it for any other content intended to be published on your website
• Source mode is an advanced feature that lets your users insert HTML code into your website and is not really needed in most use cases (after all, you are installing a WYSIWYG editor to avoid the need to write content in HTML). Disabling it is thus highly recommended
• The Preview plugin displays a preview of the document as it will be shown to the end user or printed. In order for the content to be displayed as closely as possible to how it looks on your page it will not be processed or secured in any special way by the plugin. This opens up possibilities for XSS attacks, so it is highly recommended to sanitize the preview content using the contentPreview event
• Configuring ACF to accept additional tags and attributes that are unsupported by CKEditor features may result in XSS vulnerabilities

Consider the following:

• Validate and Sanitize CKEditor input as you would any other user input
• CKEditor is Javascript enabled. If Javascript is somehow disabled then your HTML <textarea> is just a blank canvas for any ill-intended user
• Use an HTML sanitizer such as HTML Purifier