Sanitize HTML data received from CKEditor getData() method [ckeditor] - ckeditor4.x

I want to get sanitized data from CKEditor when I use CKEDITOR.instances['textareaId'].getData(); function.
I have noticed CKEditor internally sanitized the input provided in the 'Source' part.
Example
If the input is <p onclick="alert('document.cookie')">Some Text</p> it gets converted to <p>Some Text</p>.
But when I try to retrive the data using CKEDITOR.instances['textareaId'].getData(); it returns <p onclick="alert('document.cookie')">Some Text</p>.
Is there any way where CKEditor sanitize the data when getData() function is called?

From CKEditor point of view don't disable Advanced Content Filter (ACF) - don't use config.allowedContent = true;. That way unwanted HTML attribute will be removed.
Please note however that JavaScript, no matter how good, can always be disabled so ACF by no means can be treated as a security filter. If you wish to sanitize your HTML, please use server-side library for that and not JavaScript. Sanitizing user input with your server-side application code is the only correct way to do it.

Related

How to display my tinymce text into my html view

I save into my database the text which I write into a textarea with tinymce.
What I'm trying to do now, is to display this content into my view. Right now, when I'm doing {{$article->contenu}} i've this :
Is there a way to display my tinymce content into my view with the correct format please (not inside a textarea) ?
Content from TinyMCE is saved as an HTML string. You are passing that HTML content to Laravel's templating engine as a variable, and asking it to to be rendered. By default Laravel does not automatically render HTML, to prevent XSS attacks.
However, if you use this syntax instead:
{!! $article->contenu !!}
...the content should render as expected. For more info, check the Laravel docs:
https://laravel.com/docs/5.6/blade#displaying-data

Allow copy / paste in a text_area field form but remove formatting

I have a text_area field in a form which allows some text formatting through a very simple WYSIWYG (bold / underline / bullet points). This was aimed at having a consistent formatting in the description profile of the users.
<%= l.text_area :access, value: "#{t('.access_placeholder_html')}" %>
Nevertheless, some users usually filled the text_area by copy / pasting directly from their website. And their specific formatting "hypertext links", font size, etc. is after reflected on my website, which makes it a bit dirty.
How can I solve this problem. Ideally I would love that when saving the form it gets rid of all the HTML code that is not allowed instead of not allowing copy / paste. Is this possible? Was wondering if should use Sanitize but if so how? (Sorry new to code, I guess you would have understood).
You didn't say which version of Rails, but you could use #sanitize from ActionView::Helpers::SanitizeHelper module to strip all the HTML formatting. It scrubs HTML from text with a scrubber. The default scrubber allows optional whitelisting of attributes. You can even build your own custom scrubber to modify the string if you need more control over what is output. The module also contains #strip_tags and #strip_links, which are very simple scrubbers that remove all HTML tags and all HTML link tags (leaving the link text).
Note that you can wind up with malformed text if the user's input wasn't valid HTML.
Quick examples from the docs:
// remove all HTML tags except <strong> <em> <a> and the
// <href> attributes from #text
nomarkup_text = sanitize #text, tags: %w(strong em a), attributes: %w(href)
// remove all HTML markup
strip_tags("<b>Bold</b> no more! <a href='more.html'>See more here</a>...")
returns the string Bold no more! See more here...
// remove just the link markup
strip_links('Please e-mail me at me#email.com.')
returns the string Please e-mail me at me#email.com.
More detail at the API page for SantizeHelper

Using a custom html tag in CKEditor

I am trying to integrate CKEditor into an internal PHP application, where in the past I was just pasting my HTML into a textarea field in a form.
This HTML that I am submitting in the form is for a custom template system that uses custom tags. These custom tags would then be replaced with real data by my backend. For example, an invoice would have the custom tag <%INVOICE#%>, which my backend would replace with the correct invoice number.
When using CKEditor, these types of tags are being converted into htmlentities such as <%INVOICE#>, which breaks my string replacement on the backend.
Is there a way to make CKEditor recognize tags that are in the format <%*%> and not convert them in any way?
The simplest way to protect those tags against modifications would be to use config.protectedSource. With Show Protected plugin (3rd party addon), you could even see the protected code in wysiwyg area.
A more user friendly solution would be to adopt the widget-based Placeholder plugin to recognize the syntax you use for custom tags. This plugin is just a proof of concept solution, so you can improve it in any way you like. E.g. by offering a select element to the end user with the list of valid placeholders instead of asking to type them manually.
Widgets are powerful, which means that it is technically possible to write even a plugin that returns <%INVOICE#%> in source code, but shows the real invoice number in wysiwyg area.

Get CKEditor contents without updating the textarea

Fairly new to CKEditor here. I'm aware that you need to call the updateElement() method for CKEditor to send the current editor content to the related textarea element. From there, you can call the getData() function to get the content. (Although I don't understand why there are two steps to get the editor content, instead of one.)
However, I want to get the current content directly from the editor, without changing the related textarea content. Is there a CKEditor method to achieve that, or is it a case of using jQuery to find the editor content?
The getData method will return the raw HTML from the editor.

CodeIgniter santizing POST values

I have a text area in which I am trying to add youtube embed code and other HTML tags. $this->input->post is converting the <iframe> tags to < and > respectively but not the <h1> and <h2> tags.
Any idea how I can store these values?
If you only have a small number of forms that you need to allow iframes in, I would just write a function to restore the iframe (while validating that it's a valid YouTube embed code).
You can also turn off global_xss_filtering in your config (or not implement it if you're using it), but that's not the ideal solution (turning off all of your security to get one thing to work is generally a horrible idea).
$config['global_xss_filtering'] = FALSE;
To see all of the tags that get filtered out, look in the CI_Input class and search for the '$naughty' variable. You'll see a pipe-delimited list (don't change anything in this class).
Why don't you avoid CIs auto sanitizing and use something like htmlspecialchars($_POST['var']); ? Or make a helper function for sanitizing youtube urls...
Or you could either just ask for the video ID code or parse the code from what you are getting.
This would let you use both the URL or the embed code.
Also storing just the ID takes less space in you database, and you could write a helper function to output the embed code/url.
In this case, use $_POST instead of $this->input->post to get the original text area value, and then use HTML Purifier to clean the contents without losing the <iframe> tag you want.
You will need to check HTML Purifier documentation for details. Please, check this specific documentation page about "Embedding YouTube Videos".

Resources