Geek Answers Handbook

XSS Protection with TinyMCE

As far as I noticed, TinyMCE has its own escaping of metacharacters, and using htmlspecialchars () will only clutter up the output and show <p>, etc. instead of rendering them in a browser. It is easy to disable Javascript and enter malicious code that will be displayed when another user with Javascript enabled visits the content.

So, I need to use the correct server-side validation, but for sure -how can I do it right, given the thousands of XSS methods? Is there an efficient way that works for TinyMCE, for example, "using htmlspecialchars () with TinyMCE?"

So far I have made a whitelist for allowed HTML tags, replaced any javascript: and similar :void in the content to try to protect against inline Javascript such as onClick="javascript:void(alert("XSS"));" but I feel that is not enough.

Any advice on this would be greatly appreciated, but remember that certain content should be correctly displayed in the output, so I use TinyMCE in the first place. I need to protect only from XSS.

In addition, while on the subject; how can I protect myself from CSS XSS, for example style="background-image: url(XSS here);" ?

+7
source share
2 answers

HTMLPurifier - one of the solutions for php: http://hp.jpsband.org/

+2
source

For .Net: http://msdn.microsoft.com/en-us/security/aa973814.aspx

I also fight fire using:

 $(".userpost").children().off();

This prevents users from using your existing JavaScript. One of the biggest annoyances in the Microsoft library is the addition of "x_" in front of all classes. This is fine until someone edits an existing post and adds another x_ in front. I just get rid of x_ all along with the regex, as the above code makes the prefix "x_" pointless.

This removes the "x_" for 3 classes in VB.Net:

 Regex.Replace(myHtml, "(<\w+\b[^>]*?\b)(class="")x[_]([a-zA-Z]*)( )?(?:x[_])?([a-zA-Z]*)?( )?(?:x[_])?([^""]*"")", "$1$2$3$4$5$6$7")

I am sure there is a cleaner way to do this.

0
source

More articles:


All Articles