• Jobs
  • About Us
  • professionals
    • Home
    • Jobs
    • Courses and challenges
  • business
    • Home
    • Post vacancy
    • Our process
    • Pricing
    • Assessments
    • Payroll
    • Blog
    • Sales
    • Salary Calculator

0

148
Views
Prevent XSS in CKEditor

I want to save my application from attack so I wanted to disable any type of execution in my CKEditor config, so I found a solution that is allowContent: false which prevents the <scripts> tags inside CKEditor but after putting <p><a href="javascript:(alert(document.domain))">XSS</a></p> in the CKEditor so it executes the js inside href.

config

config = {
   ...,
   allowContent: false
}

now the below script doesn't work after putting the above config:

<script>alert(1)</script>

I also wanted to prevent below js inside href but currently, it executing

<p><a href="javascript:(alert(document.domain))">XSS</a></p>
about 3 years ago · Juan Pablo Isaza
1 answers
Answer question

0

You have to sanitize the data inputed to the CKEditor. The config.htmlEmbed.sanitizeHtml of CKEditor option allows plugging an external sanitizer.

In my opinion, the best sanitizer available for now is DOMPurify library.

Here is more info on including DOMPurify in CKEditor: more info.

In my opinion, it is very hard to secure CKEditor "by yourself", so better use sanitizer. There was some security issues in this software, an interesting example described here: CKEditor XSS

about 3 years ago · Juan Pablo Isaza Report
Answer question
Find remote jobs

Discover the new way to find a job!

Top jobs
Top job categories
Business
Post vacancy Pricing Our process Sales
Legal
Terms and conditions Privacy policy
© 2025 PeakU Inc. All Rights Reserved.

Andres GPT

Recommend me some offers
I have an error