We are using CKEditor to create HTML content on Strapi.
The client then pulls it and displays it on the site using __dangerouslyInsetHTML.
There is a potential risk of an XSS in case one of the CMS admin user account getting hacked then the hacker could insert a malicious script in the content.
To guard against this, the client should sanitize the HTML we get from Strapi to only allow a whitelist of HTML tags.
rolandpo
commented
1 year ago
We are using CKEditor to create HTML content on Strapi. The client then pulls it and displays it on the site using __dangerouslyInsetHTML.
There is a potential risk of an XSS in case one of the CMS admin user account getting hacked then the hacker could insert a malicious script in the content.
To guard against this, the client should sanitize the HTML we get from Strapi to only allow a whitelist of HTML tags.