-
-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
We will need to start filtering XSS when we introduce the support for "free HTML editing" #1624
Comments
Would removing all script tags and any attribute beginning with "on" even if white-listed do the trick? (I assume we aren't just going to HTML encode). |
Hi @tomaszmys! CKEditor 5 implements a custom data model and every piece of HTML which gets to that model needs to be handled by a specific converter. The same on the way out – every piece of the model is converted to the view by a specific piece of code. What does it mean for XSS attacks?
BTW, #908 wasn't about whitelisting content. #592 is about that. We'll certainly pay attention to not render |
Hey Reinmar, First off, my sicere apologies for getting back to this that late (lessons learned, I should really review spam folder more often). I've brought this topic up after playing around with the editor for a while, and the example I've provided came directly from the tests I've been playing with. I was quite sure I was able to trigger a request after rendering of the Thanks for pointing me to the #592 discussion - I'll keep following that thread, especially that whitelisting configuration seem to me like the only reasonable solution on the long run. |
Might be useful to test all known cases: https://owasp.org/www-community/xss-filter-evasion-cheatsheet |
The current version of CKEditor 5 prevents XSS in all these cases? |
There has been no activity on this issue for the past year. We've marked it as stale and will close it in 30 days. We understand it may be relevant, so if you're interested in the solution, leave a comment or reaction under this issue. |
We've closed your issue due to inactivity over the last year. We understand that the issue may still be relevant. If so, feel free to open a new one (and link this issue to it). |
Originally posted by @tomaszmys in #908 (comment)
The text was updated successfully, but these errors were encountered: