We are currently using CKEditor 3.6.4 and are looking into preventing XSS attacks when using the editor. We found that when the HTML that gets populated into the editor contains javascript, the editor modifies the code to prevent the javascript from running when the editor box is initiated (this is good).
E.g., this:
gets modified to this:
and this:
gets modified to this:
However we found that if we then save a form containing the editor, the javascript code is executed, and the text returned from the form now contains the original code. Is there any way to prevent it from doing this so that the "safe" version of the code is retained and the javascript is not executed on save?
E.g., this:
<script>alert('hello world')</script>gets modified to this:
<!--{cke_protected}%3Cscript%3Ealert('hello%20world')%3B%3C%2Fscript%3E-->and this:
<div onclick="alert('clicked!');">Clickable div<br></div>gets modified to this:
<div data-cke-pa-onclick="alert('clicked!');">Clickable div<br></div>However we found that if we then save a form containing the editor, the javascript code is executed, and the text returned from the form now contains the original code. Is there any way to prevent it from doing this so that the "safe" version of the code is retained and the javascript is not executed on save?