Hello,
I'm thinking to buy a "Corporate Web Sites" licence, but before i do this, I've got a question.
I want to use this for an CMS System and I'm not sure how i can solve this problem:
For sure, HTML is allowed ( you're not allowed to write your own HTML Code ). So now:
I won't do htmlentities() in the PHP Code because i want that the users can use the wysiwyg editor. BUT what if they manipulate the sent code and just close DIV-Containers or sth like this.
Im not sure how to solve this, because this is a real bad security problem.
How they can manipulate this?
The most simple thing would be to write your own form and send it to the page.
Well... I'd be very happy if someone could help me with this.
Cu
Unknown Soldier
I'm thinking to buy a "Corporate Web Sites" licence, but before i do this, I've got a question.
I want to use this for an CMS System and I'm not sure how i can solve this problem:
For sure, HTML is allowed ( you're not allowed to write your own HTML Code ). So now:
I won't do htmlentities() in the PHP Code because i want that the users can use the wysiwyg editor. BUT what if they manipulate the sent code and just close DIV-Containers or sth like this.
Im not sure how to solve this, because this is a real bad security problem.
How they can manipulate this?
The most simple thing would be to write your own form and send it to the page.
Well... I'd be very happy if someone could help me with this.
Cu
Unknown Soldier
Re: The Security of CKEditor
From what I can think of, it should not be solvable. Why?
1. You have no idea of what a user sends, you can never control that in a web-environment using regular http-requests.
2. Since the whole idea is for the user to create html, you cannot filter for this in anyway without destroying the functionality or still having the security issue.
Hence, unless you trust the user, it's gonna be hopeless. You can always add parameters that you send with the requests, but ultimately a hacker could easily copy the parameters and send them too. But if you trust the users, it's easy. As long as you do a server-side check of the user, and you filter for tags that you do not accept, then you are good to go. And to be honest, I don't see it as a problem. If the user sends a couple of "false" <p>-tags, who will it hurt? And if it hurts, you probably shouldn't use a WYSIWYG in the first place.
To sum up the solution:
- Server-side verification of users, ie. through session-variables and other stuff (it's at least 1 whole science it self)
- Filtering of unwanted content. Especially scripts (tags) and regular hacking stuff, like the ' character to break the SQL. All depending on your specific case.
Re: The Security of CKEditor
Unless i've mis-understood you HTML Purifier (http://htmlpurifier.org/) should help.