How best to deal with security issues and CKEditor?

I would just recommend using some regular expressions to filter out the information you don't want. It should be relatively simple to take care of most of the issues, particularly style and script tags that could produce hazardous results.

Probably the simplest solution would be to attempt to prevent the user from doing anything custom. For instance: remove the Source plugin. The editor, by default, can produce a number of different dtds, including HTML 4.01 Strict and Transitional as well as XHTML 1.0 Strict and Transitional.

Using those two in concert with each other should produce a bit more favorable results.

PHP
strip_tags function

HTML Tidydevshed article

ASP.NET
WebProNews article

public static string StripHtml(string html, bool allowHarmlessTags)
{
   if (html == null || html == string.Empty)
     return string.Empty;

   if (allowHarmlessTags)
     return System.Text.RegularExpressions.Regex.Replace(html, "", string.Empty);

   return System.Text.RegularExpressions.Regex.Replace(html, "<[^>]*>", string.Empty);
}

Any safety checks must be done always at the server side. Removing things like the source button doesn't help at all because if someone wants to attack your site they will send the data directly without allowing it to be cleaned by a simple javascript.

And the checks based on regexp are usually too simple for a real attacker. The best way to do it is to take the incoming data, parse it into a DOM tree and then filter out any node or attribute that it isn't whitelisted. Then you get that again as a HTML string and that's the final data.

Any other approach is vulnerable to browser bugs that allows to execute code in a ways that you didn't expect.
For example I think that some site suffered an attack because something like

<scri 
pt>alert('hello');</scri
pt>

is executed in IE. Maybe that's not exactly the correct syntax, but it was something that a simple regexp looking for "script" couldn't find. If the cleanup is base only on allowing a set of tags and attributes then it will be safe (or at least much safer, there's nothing perfect)

Sorry, I have no idea about Java. I would have to search the web and then I wouldn't even know if you can use whatever turns out of that search.

http://xopus.com/

Client side filtering of course is no replacement for input validation at the server, so client side filtering is not very useful for dealing with security issues. But there are other good reasons to filter in the browser. One reason is that some tags can break usability when the ckEditor is used in a browser based application. Although from a technical perspective this could be fixed by a server side filter, from a usability perspective filtering at the client should als be supported. ckEditor has the structure to implement this. The 'paste' event by default does no filtering at all. This should be fixed to allow configuration of an 'allowed tags' list, optionally combined with a custom filter.

I agree with mvl. A client side filter would help so that users would be notified straight away about non allowed tags.

Could you please elaborate what exactly this means: "take the incoming data, parse it into a DOM tree and then filter out any node or attribute that it isn't whitelisted".

On the server side I do the following to validate the submitted values:
$allowed_html="<strong><p><a><ul><ol>";
$value = mysql_real_escape_string(strip_tags(html_entity_decode($_POST['value']),$allowed_html));
I have disabled the SOURCE button in CKEditor. But users can still type/paste in html tags. The editor encodes these so I use the decode, strip all non allowed tags, make it database safe and write it into the database. Am I missing anything essential to make it secure?

Thanks, Jens