Closed datnguyen765 closed 1 year ago
Thanks for your advice. The CKEditor is configured in a way that allows most flexibility. Website owners have to make sure that no malicious users gain backend access. If someone administrates a website with a lot of / not well-known (potentially malicious) users, there can be content filters for the CKEditor activated via the editor's own configuration files (see https://ckeditor.com/docs/ckeditor4/latest/guide/dev_acf.html), but ACF has in our eyes too many disadvantages to activate this by default. But maybe it's an idea to publish a "CKEditor ACF edition" beside the existing editions (default/developer).
It's really easy. If you don't trust your backend users, just go to /modules/ckeditor/ckeditor/config.js and change
config.allowedContent = true;
to
config.allowedContent = false;
Hi Team, I found small xss in via Content Modul
steps: