All geek questions in one place

CKEditor Security Security Recommendations

I use http://ckeditor.com/ in the small PHP / MySQL forum that I created. My questions:

  • Is it safe to save user-created HTML like this in a database and then redisplay it in my application? What precautions should be taken to ensure the safety of users of my forum from injection script, etc.?

    <p>test</p> <span style="font-size: 14px;">test</span>

  • Would it be safer to use BBCode instead of HTML? I tried the ckeditor bbcode plugin, but it lacks basic formatting like text alignment ... Does anyone know how to extend the plugin to add text alignment to it?

+4
source share
1 answer

For your first question, you need to do two basic things:

  • Safely store user content in your database so that you are not vulnerable to SQL injection attacks. See this SO question on how best to deal with this => The best way to stop SQL Injection in PHP .

  • Prevent someone from sending insecure HTML to your database, which will then be re-rendered to your users and make them vulnerable to an XSS attack. There are many questions that relate to this here on SO. Here one => XSS Prevention in PHP .

+2
source

Source: https://habr.com/ru/post/1369422/

More articles:


All Articles