Reputation: 83
Circumventing TinyMCE's input validation with custom POST headers
AFAIK, TinyMCE is supposed to be self-sufficient XSS-wise, as its editor prevents anything that could be used for XSS.
However, all this is done client-side, and security depends entirely on the POST headers being clean thanks to TinyMCE.
What's stopping an attacker from making a custom HTTP request with tags in the POST HTTP headers?
Does everybody who uses TinyMCE also have extensive anti-XSS libraries on the server side to make sure this doesn't happen? Is there a way to make sure the input did indeed come from TinyMCE and not from custom POST headers?
Needless to say, just escaping everything with the likes of htmlspecialchars() isn't an option, as the entire point of TinyMCE is to let users input HTML formatted content.
Upvotes: 1
Views: 242
Answers (1)
Reputation: 4416
You can't trust what's coming from the client side. An attacker could even modify TinyMCE to disable whatever you have added.
On the serverside you could use something like OWASP AntiSamy or HTMLPurifier, which allows you to specify which tags you allow (whitelisting tags and attributes).
Upvotes: 1
Related Questions
- TinyMCE and HTML5 form validation
- TinyMCE Sanitizing input
- TinyMCE - Completely disable validation
- Validation detected dangerous client input - post from TinyMCE in ASP.NET
- TinyMCE Javascript Validation
- TinyMCE: validate elements on each keystroke
- Protecting against XSS when using TinyMCE
- How do I turn off TinyMCE's HTML validation?
- tinymce trigger html validation
- Tinymce and javascript - PHP Validation