search

ckeditor / ckeditor4

The best enterprise-grade WYSIWYG editor. Fully customizable with countless features and plugins.
https://ckeditor.com/ckeditor-4
Other
5.78k stars 2.46k forks source link

[Trusted Types] Adding tooling for Trusted Types compatibility #5506

Closed youssef-attia closed 1 year ago

youssef-attia commented 1 year ago

What is the purpose of this pull request?

Addresses #4971. Initial PR to add tooling to help with making CKEditor Trusted Types compatible.

This would be used as follows: Say we have some javascript innerHtml assignment

element.innerHtml = someHtml;

This would be a XSS sink and could potentially be dangerous so we sanitize our input html.

safeHtml = sanitize(someHtml);
element.innerHtml = safeHtml;

Now, we have faith in the sanitizer and trust that this is safe but this would still raise a report because the Trusted Type checker is not aware of the sanitizer. We can assure it that our input is safe using the tooling as follows:

safeHtml = sanitize(someHtml);
element.innerHtml = CKEDITOR.tools.htmlSafeByReview(safeHtml, 'sanitized');

Does your PR contain necessary tests?

Existing tests will cover this change.

Did you follow the CKEditor 4 code style guide?

What changes did you make?

Added a tooling function that will help with conversions to Trusted Types.

jacekbogdanski commented 1 year ago

Hey @youssef-attia!

CKEditor 4 reached its end of life in June, so, unfortunately, we can no longer accept code contributions. The existing options after the end of life are described in our readme, I hope that will help you to make a decision on what to do next: https://github.com/ckeditor/ckeditor4#summary-of-options-after-the-ckeditor-4-end-of-life