Skip to content
This repository has been archived by the owner on Mar 8, 2019. It is now read-only.

Security

Jump to bottom
Jeroen Visser edited this page Aug 3, 2014 · 8 revisions

Client Side

Scenario: Content that is copy & pasted into the editor could contain scripts or styles that have an immediate affect on page functionality. Such content could even perform cookie stealing while the user is working with the editor.

Solution: wysihtml5 relies on a three-layered security model:

  1. Browser: Modern browsers already sanitize content before inserting it into rich text editors. Unfortunately Internet Explorer isn’t good at that. (see tests)
  2. iframe: wysihtml5 is always rendered in a sandbox iframe. The iframe disallows javascript from being executed in IE (by using its proprietary security attribute). In non-IE browsers sensitive variables (such as document.cookie, window.parent, localStorage etc.) are protected via setters/getters
  3. HTML5 Parser: The default HTML5 parser rules strip out potentially malicious HTML (such as <script>, <iframe>, meta redirects, …)

Server Side

Scenario: An attacker can always omit wysihtml5’s client side security barrier and post malicious HTML to the server.

Solution: A HTML sanitizer needs to be used on the server unless wysihtml5 is used in a trusted environment (eg. CMS where only people with permissions can interact with wysihtml5).

Here’s an incomplete list of proven HTML sanitizers:

For a start, let’s assume that you have a simple web page, you want to make editable with Aloha Editor and you already have placed Aloha Editor on your web server.

This is your web page:

<head> <meta http-equiv="content-type" content="text/html; charset=utf-8"> <title>Getting Started with Aloha Editor</title> <link rel="stylesheet" href="index.css" type="text/css"> </head> <body> <div id="main"> <div id="content"><p>Getting started with Aloha Editor!</p></div> </div> </body>

Clone this wiki locally