views:

76

answers:

3

I'm using jWYSIWYG in a form I'm creating that posts to a database and was wondering how you can prevent a malicious user from trying to inject code in the frame?

Doesn't the editor need brackets (which I'd normally strip during the post process) in order to display styles?

+2  A: 

If the editor allows arbitrary HTML, you're fighting a losing battle since users could simply use the editor to craft their malicious content.

If the editor only allows for a subset of markup, then it should use an alternative syntax (similar to how stackoverflow does it), or you should escape all HTML except for specific, whitelisted tags.

Note that it's pretty easy to not do this correctly so I would use a third-party solution that has been appropriately tested for security.

Ben S
Hey Ben,The problem is our user base is by a large not tech-savvy... so the WMD (what Stackoverflow uses for its ask question markup) style 'markup subsitute' doesn't really work. I don't think our editor allows arbitrary HTML but it allows users to select styling such as bold, italic, indent, undo etc.I guess maybe the best bet is to just not allow styling.
Walker
+2  A: 

Ultimately, the output is in your own hands when you will be inserting it into the database, a time you need to make sure that you strip away anything malicious. The simplest way will be to probaly use htmlentites against such data, however, there are other ways bad guys can bypass that. Here is a nice script also implemented by popular Kohana php framework for its input class against the possible XSS attacks:

http://svn.bitflux.ch/repos/public/popoon/trunk/classes/externalinput.php

Sarfraz
The problem is if I run a script like that on the rich text, won't it strip the styles from code with styling (bold, italic, headers etc.) that the user created with our WYSIWYG editor?
Walker
+1  A: 

I have encountered similar situations, and I have started using HTMLPurifier on my PHP backend which will prevent every attack vector I can think of. It is easy to install, and will allow you to whitelist the elements and attributes. It also prevents the XSS attacks that could still exist whilst using htmlentities.

Justin