You can use this plugin for the client side: viewtopic.php?f=18&t=25504 (after configuring it to your needs), but you MUST perform the clean up at the server side because any self-respecting attacker won't use the form as you expect him to and instead he will send the data directly to the server without any filtering.
Thanks, but i didn't understood how i must write in my code for blocking tags 'script', 'frame', etc...
I have upload the path in ckeditor plugins path e in my page, wgere i load ckeditor, i have this:
CKEDITOR.replace( 'hContent',
{
filebrowserUploadUrl : 'do_upload.asp?type=ck',
extraPlugins : 'whitelist',
/*
* Font face
*/
// List of fonts available in the toolbar combo. Each font definition is
// separated by a semi-colon (;). We are using class names here, so each font
// is defined by {Combo Label}/{Class Name}.
font_names : 'Comic Sans MS/FontComic;Courier New/FontCourier;Times New Roman/FontTimes',
// Define the way font elements will be applied to the document. The 'span'
// element will be used. When a font is selected, the font name defined in the
// above list is passed to this definition with the name 'Font', being it
// injected in the 'class' attribute.
// We must also instruct the editor to replace span elements that are used to
// set the font (Overrides).
font_style :
{
element : 'span',
attributes : { 'class' : '#(family)' },
overrides : [ { element : 'span', attributes : { 'class' : /^Font(?:Comic|Courier|Times)$/ } } ]
},
/*
* Font sizes.
*/
fontSize_sizes : 'Smaller/FontSmaller;Larger/FontLarger;8pt/FontSmall;14pt/FontBig;Double Size/FontDouble',
fontSize_style :
{
element : 'span',
attributes : { 'class' : '#(size)' },
overrides : [ { element : 'span', attributes : { 'class' : /^Font(?:Smaller|Larger|Small|Big|Double)$/ } } ]
} ,
/*
* Font colors.
*/
colorButton_enableMore : false,
colorButton_colors : 'black/000000,silver/C0C0C0,gray/808080,white/FFFFFF,maroon/800000,red/FF0000,purple/800080,fuchsia/FF00FF,green/008000,lime/00FF00,olive/808000,yellow/FFFF00,navy/000080,blue/0000FF,teal/008080,aqua/00FFFF',
colorButton_foreStyle :
{
element : 'span',
attributes : { 'class' : '#(color)' },
overrides : [ { element : 'span', attributes : { 'class' : /^(?:black|silver|gray|white|maroon|red|purple|fuchsia|green|lime|olive|yellow|navy|blue|teal|aqua)$/ } } ]
},
colorButton_backStyle :
{
element : 'span',
attributes : { 'class' : '#(color)BG' },
overrides : [ { element : 'span', attributes : { 'class' : /^(?:black|silver|gray|white|maroon|red|purple|fuchsia|green|lime|olive|yellow|navy|blue|teal|aqua)BG$/ } } ]
},
/*
* Indentation.
*/
indentClasses : ['Indent1', 'Indent2', 'Indent3'],
/*
* Paragraph justification.
*/
justifyClasses : [ 'JustifyLeft', 'JustifyCenter', 'JustifyRight', 'JustifyFull' ],
/*
* Toolbar.
*/
toolbar_Full :
[
['Source','-','PasteText','PasteFromWord'],
['Undo','Redo','-','Find','Replace','-','SelectAll','RemoveFormat'],
['Subscript','Superscript','-','Bold','Italic','Underline','Strike','Blockquote'],
['NumberedList','BulletedList'],
['Link','Unlink'],
['SpecialChar'],
['FontSize'],
['About']
],
height : 350,
/*
* Styles combo.
*/
stylesSet :
[
{ name : 'Strong Emphasis', element : 'strong' },
{ name : 'Emphasis', element : 'em' },
{ name : 'Computer Code', element : 'code' },
{ name : 'Keyboard Phrase', element : 'kbd' },
{ name : 'Sample Text', element : 'samp' },
{ name : 'Variable', element : 'var' },
{ name : 'Deleted Text', element : 'del' },
{ name : 'Inserted Text', element : 'ins' },
{ name : 'Cited Work', element : 'cite' },
{ name : 'Inline Quotation', element : 'q' }
],
on : { 'instanceReady' : configureHtmlOutput }
});
/*
* Adjust the behavior of the dataProcessor to avoid styles
*/
function configureHtmlOutput( ev )
{
var editor = ev.editor,
dataProcessor = editor.dataProcessor,
htmlFilter = dataProcessor && dataProcessor.htmlFilter;
var dtd = CKEDITOR.dtd;
var tags = CKEDITOR.tools.extend( {}, dtd.$block, dtd.$listItem, dtd.$tableContent );
for (var tag in tags) {
this.dataProcessor.writer.setRules(tag, {
indent: true,
breakBeforeOpen: true,
breakAfterOpen: false,
breakBeforeClose: false,
breakAfterClose: true
});
}
// Output properties as attributes, not styles.
htmlFilter.addRules(
{
elements :
{
$ : function( element )
{
// Output dimensions of images as width and height
if ( element.name == 'img' )
{
var style = element.attributes.style;
if ( style )
{
// Get the width from the style.
var match = /(?:^|\s)width\s*:\s*(\d+)px/i.exec( style ),
width = match && match[1];
// Get the height from the style.
match = /(?:^|\s)height\s*:\s*(\d+)px/i.exec( style );
var height = match && match[1];
if ( width )
{
element.attributes.style = element.attributes.style.replace( /(?:^|\s)width\s*:\s*(\d+)px;?/i , '' );
element.attributes.width = width;
}
if ( height )
{
element.attributes.style = element.attributes.style.replace( /(?:^|\s)height\s*:\s*(\d+)px;?/i , '' );
element.attributes.height = height;
}
}
}
if ( !element.attributes.style )
delete element.attributes.style;
return element;
}
}
} );
}
What i add to this code to block 'script', 'frame' and other tags? Can you help me?
The fact that you keep asking how to remove some specific tags makes me think that you haven't read the posts and documentation, so please, use that.
First step: setup a system at your server side to clean up the incoming data. Note: always use a whitelist, if you don't know what it is, then it's not safe. This is a basic aspect of any kind of security.
When you have that whitelisting ready then follow the example code found in the plugin doc and customize your CKEditor.
Re: Remove danger tags
You can use this plugin for the client side: viewtopic.php?f=18&t=25504 (after configuring it to your needs), but you MUST perform the clean up at the server side because any self-respecting attacker won't use the form as you expect him to and instead he will send the data directly to the server without any filtering.
Re: Remove danger tags
I have upload the path in ckeditor plugins path e in my page, wgere i load ckeditor, i have this:
What i add to this code to block 'script', 'frame' and other tags? Can you help me?
Thanks a lot
Re: Remove danger tags
First step: setup a system at your server side to clean up the incoming data.
Note: always use a whitelist, if you don't know what it is, then it's not safe. This is a basic aspect of any kind of security.
When you have that whitelisting ready then follow the example code found in the plugin doc and customize your CKEditor.