Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#14682 closed Task (wontfix)

Does CKEditor for asp.net do auto sanitization?

Reported by: Furkan Gözükara Owned by:
Priority: Normal Milestone:
Component: Server : ASP.Net Version:
Keywords: Cc:

Description

I don't see anywhere to enable sanitizer etc in the CKEditor implementation

How are we supposed to do sanitization?

here the implementation : http://docs.cksource.com/CKEditor_3.x/Developers_Guide/ASP.NET/Integration_Beginners

I am asking for asp.net

I have asp.net 4.5 and using c#

When we read and use like this does it make server side sanitization?

string str = CKEditor1.Text;

string str1 = Server.HtmlEncode(str); string str2 = Server.HtmlDecode(str); lblText.Text = str2;

Change History (6)

comment:1 Changed 4 years ago by Furkan Gözükara

Additionally your email never arrived to my gmail. Probably your mail servers are blocked. Also for my hotmail, it arrived into spam folder.

comment:2 Changed 4 years ago by Jakub Ś

Resolution: wontfix
Status: newclosed
Version: 4.5.10 (GitHub - master)

No, there is none. As you probably know there isn’t any good library or standard for ASP.NET that does sanitization. This results in different approaches and also different requirements specific to the given application. This was the main reason why we haven’t decided to introduce any such solution. Developers should do this on their own according to their needs.

NOTE: If you are familiar with JavaScript (even a little bit) and you don’t have requirement to use ASP.NET controls in your code, I would recommend switching to CKEditor 4.5.9 JavaScript. It takes less space and if you want to integrate it into your HTML page, the code to do that is even one line long. e.g.

<script>
var editor = CKEDITOR.replace('textarea-id');
</script>

or

<script>
var editor = CKEDITOR.replace('textarea-id', {
    //custom instance specific configuration goes here
   lang : 'en'
   color : 'blue'
});
</script>

comment:3 Changed 4 years ago by Furkan Gözükara

j.swiderski ty for reply. In this case, how can i print safely the client response?

I mean i will use ckeditor for private message system.

Assume that client A sent malicious message to client B

So how can i show this message safely to client B?

Thank you

comment:4 Changed 4 years ago by Jakub Ś

CKEditor has nothing to do with sending data. I assume that data will be exchanged between clients with the usage of server-side and this is the place where you should perform sanitization after receiving data from client side.

From CKEditor point of view you can use ACF which allows you defining which tags, attributes styles and classes can be used in the editor. For more information, please see:
http://docs.ckeditor.com/#!/guide/dev_acf
http://docs.ckeditor.com/#!/guide/dev_advanced_content_filter
http://docs.ckeditor.com/#!/guide/dev_disallowed_content
http://docs.ckeditor.com/#!/api/CKEDITOR.filter-method-addTransformations
http://docs.ckeditor.com/#!/api/CKEDITOR.config-cfg-allowedContent
http://docs.ckeditor.com/#!/api/CKEDITOR.config-cfg-extraAllowedContent

Please remember that ACF is not a security filter and you should never rely on JavaScript to do it. Such operations always need to be performed on server side (even if you additionally do it on client-side). To summarize you need to implement your custom code to do it.

comment:5 Changed 4 years ago by Furkan Gözükara

Ty for answer. I see that ckeditor is useless for me because it doesn't provide any XSS security :(

comment:6 Changed 4 years ago by Jakub Ś

CKEditor JavaScript is just a client-side application. The client-side protection can always be worked around so even if you have super XSS protection implemented in your JavaScript, you still need to have protection on server-side.
OK, there is ASP.NET control which could implement some server-side protection but for the reasons mentioned in comment:1 we haven't decided to do so.

Note: See TracTickets for help on using tickets.
© 2003 – 2019 CKSource – Frederico Knabben. All rights reserved. | Terms of use | Privacy policy