Hi,
first, sorry about my english, it is not so good so I hope you ll understand my question.
I m questioning myself about security when using ck editor, particularily on the server side, once you ve posted the <textearea>, which ckeditor uses and got the $_POST variable in a typical php script. I m worried about XSS (cross site scripting) that could even lead to CSRF (cross site request forgeries). I ve read everything I found in the documentation section but could nt find any solution to this issue.
In this situation, my guess would be that I have to parse the $_POST variable with REGEX functions to find out any "not-allowed <> content". For exemple, a <span> is ok, or a <span style="blabla"> or a <div> or <image> and so on. But if the parser finds anything that is not in the allowed field of "<> contents" (<script> for instance), no database insertion is done and the application returns a neet polite error message to the user.
Is this what I m supposed to do when using ck editor? It s quite a bit of work... Isnt there any easier way to deal with the problem.
Thanks a lot for reading and answering. Again, if you don t understand my question, it s probably because of my english.
first, sorry about my english, it is not so good so I hope you ll understand my question.
I m questioning myself about security when using ck editor, particularily on the server side, once you ve posted the <textearea>, which ckeditor uses and got the $_POST variable in a typical php script. I m worried about XSS (cross site scripting) that could even lead to CSRF (cross site request forgeries). I ve read everything I found in the documentation section but could nt find any solution to this issue.
In this situation, my guess would be that I have to parse the $_POST variable with REGEX functions to find out any "not-allowed <> content". For exemple, a <span> is ok, or a <span style="blabla"> or a <div> or <image> and so on. But if the parser finds anything that is not in the allowed field of "<> contents" (<script> for instance), no database insertion is done and the application returns a neet polite error message to the user.
Is this what I m supposed to do when using ck editor? It s quite a bit of work... Isnt there any easier way to deal with the problem.
Thanks a lot for reading and answering. Again, if you don t understand my question, it s probably because of my english.
Re: How to build security with ck editor
But you don't need to write that. It's very complex because for example a style can be very dangerous: in IE it allows to run javascript. So your best chance is to find any project that takes care of that and integrate it into your system.
Just like you are using this project instead of writing your own html editor, you just need to find which sanitizer is good for you and use it.
Re: How to build security with ck editor
ok i got it.
Any advise about a good open source (and free) sanitizer? It s the first time i use this...
Thanks a lot anyways