Hi, sorry for my bad English. I want to use CKEditor but i am aware of security. As i know CKEditor doesn't provide any solutions on the server side by default out of the box. But recently i've read about new "Advanced Content Filter". And thought this thing. If it really working right (not really seen it source) on client side, can we use it both and on server too under node.js against xss attackers?
Thu, 05/30/2013 - 16:09
#1
ACF (core/filter.js) has a
ACF (core/filter.js) has a lot of dependencies. It works on parsed pseudo-DOM tree (core/htmlparser/*), so theoretically it is a pure-JS implementation, but it uses the browser's HTML parser to fix incorrect HTML. Without this step one could prepare HTML string which would be incorrectly parsed by our simple Regexp parser (which is used after passing HTML through browser), but then, when result of this would be loaded into the browser it could be still dangerous.
You could however try to run entire CKEditor using PhantomJS, but... yeah - it just sounds like too much overhead.
And still - CKEditor is not meant to be 100% bulletproof. It is a client-side app, so there's always a way to bypass it. Therefore, ACF is a tool for cleaning up input, not for preventing XSS attacks, although it helps a lot if it is configured correctly.
I haven't ever made a research on this, and things quickly change, but perhaps there is a Node.JS package for HTML filtering (e.g. http://stackoverflow.com/questions/8805991/nodejs-filtering-inputs). But even if nothing will work for you, there are HTML parsers using which you can easily write your own filters.
Piotrek (Reinmar) Koszuliński
CKEditor JavaScript Developer
--
CKSource - http://cksource.com
--
Follow CKEditor on: Twitter | Facebook | Google+
Thanks for explaining. Best
Thanks for explaining. Best wishes.