Ive been reading post on this forum, but i cant find the answer
Does fckeditor has a way to prevent script injection??
Or does it have to be implemented by one on code behind?
I just tryed
<script>
alert('Hey')
</script>
And the alert shows up when i render the content
This solution that ive seen on some posts doesnt seem to work:
FCKConfig.ProtectedSource.Add( /<%[\s\S]*?%>/g ) ; // ASP style server side code <%...%>
FCKConfig.ProtectedSource.Add( /<\?[\s\S]*?\?>/g ) ; // PHP style server side code <?...?>
FCKConfig.ProtectedSource.Add( /(<asp:[^\>]+>[\s|\S]*?<\/asp:[^\>]+>)|(<asp:[^\>]+\/>)/gi ) ; // ASP.Net style tags <asp:control>
FCKConfig.ProtectedSource.Add( /<iframe>[\s\S]*?<\/iframe>/g ) ;
FCKConfig.ProtectedSource.Add( /<html>[\s\S]*?<\/html>/g ) ;
FCKConfig.ProtectedSource.Add( /<script[^\>]+>[\s\S]*?<\/script>/g ) ;
FCKConfig.ProtectedSource.Add( /<code>[\s\S]*?<\/code>/g ) ;
I cleared the temp ie files and still doesnt work
Or maybe im not using it in the correct way
Does anyone has a solution for this problem??
Thanks in advance
Does fckeditor has a way to prevent script injection??
Or does it have to be implemented by one on code behind?
I just tryed
<script>
alert('Hey')
</script>
And the alert shows up when i render the content
This solution that ive seen on some posts doesnt seem to work:
FCKConfig.ProtectedSource.Add( /<%[\s\S]*?%>/g ) ; // ASP style server side code <%...%>
FCKConfig.ProtectedSource.Add( /<\?[\s\S]*?\?>/g ) ; // PHP style server side code <?...?>
FCKConfig.ProtectedSource.Add( /(<asp:[^\>]+>[\s|\S]*?<\/asp:[^\>]+>)|(<asp:[^\>]+\/>)/gi ) ; // ASP.Net style tags <asp:control>
FCKConfig.ProtectedSource.Add( /<iframe>[\s\S]*?<\/iframe>/g ) ;
FCKConfig.ProtectedSource.Add( /<html>[\s\S]*?<\/html>/g ) ;
FCKConfig.ProtectedSource.Add( /<script[^\>]+>[\s\S]*?<\/script>/g ) ;
FCKConfig.ProtectedSource.Add( /<code>[\s\S]*?<\/code>/g ) ;
I cleared the temp ie files and still doesnt work
Or maybe im not using it in the correct way
Does anyone has a solution for this problem??
Thanks in advance
Re: Prevent script injection
And you have understood the ProtectedSource exactly the wrong way. It's meant to avoid losing that information while it's being edited as HTML, not to avoid it.
Re: Prevent script injection
I tought that if was using the fck for .net it would eliminate any scrips when getting the value
Do you know of any server side code besides regex or find and replace?
Re: Prevent script injection