Reputation: 53
CKEditor security best practices
I am using http://ckeditor.com/ in a small PHP/MySQL forum I built. My questions:
Is it safe to save user-created HTML like this in the database and then re-display it in my application? What precautions should I take to keep the users of my forum safe from script injection and the like?
<p>test</p> <span style="font-size: 14px;">test</span>Would it be safer to use BBCode instead of HTML? I tried the ckeditor bbcode plugin but it lacks some basic formatting like text alignment ... Does anyone know how to extend the plugin to add text alignment to it?
Upvotes: 5
Views: 5227
Answers (1)
Reputation: 12711
For your first question, there are two main things you need to do:
Safely save the user content to your database so that you are not vulnerable to a SQL injection attack. See this SO question for how best to handle that => Best way to stop SQL Injection in PHP.
Prevent someone from submitting unsafe HTML to your database that would then be re-displayed to your users and make them vulnerable to an XSS attack. There are plenty of questions that deal with that here on SO. Here's one => XSS Prevention in PHP.
Upvotes: 4
Related Questions
- Is data via Ckeditor safe from XSS attacks from the way I see it saved in the database?
- Prevent XSS in CKEditor
- best way to secure simple wysiwyg with php
- Preventing Vulnerabilities in ckeditor?
- How to Secure Data Submitted Through CKEditor
- CKEDITOR and PHP and MYSQL
- xss prevention with ckeditor
- Ways I can protect my site excluding XSS and Sql injection?
- preventing xss in jquery, php, mysql in some examples - please advice
- TinyMCE, PHP and MySQL: security and escaping questions