Closed Melvin924 closed 4 months ago
mostafaznv
commented
6 months ago Hi @Melvin924,
Thanks for the report. I think I understand what you meant, but for clarification, could you please update your attached image? It appears to be broken now. Alternatively, if you could provide more details about the issue, that would be helpful.
Melvin924
commented
6 months ago I see. Sorry for the broken image. Here are some more details of the problem i am running in to. When doing a post request for the resource and i inject some js in the body like below i can execute xss attacks.
POST /nova-
api/assignments/1?viaResource=&viaResourceId=&viaRelationship=&editing=true&editMode=up
date HTTP/2
Host: xxxxxxxxxxx
Cookie:[...]
------WebKitFormBoundarycm1OagGeXNQony1F
Content-Disposition: form-data; name="project"
1
[...]
------WebKitFormBoundarycm1OagGeXNQony1F
Content-Disposition: form-data; name="body"
<p element with malicous js here>element with malicous js here</p>
------WebKitFormBoundarycm1OagGeXNQony1F
[...]Yes, I see your argument. Securing content on the client-side is not fully trusted, as it can be easily bypassed. Therefore, adding sanitizers to CKEditor may not provide sufficient security.
Instead, a server-side solution involving validation and database entry phases would be more reliable.
I suggest integrating something like html-sanitizer with model observers. This way, input can be sanitized before saving, creating, or updating events.
While I'm open to adding this feature to the package, I'm unsure if it falls under the responsibility of Nova CKEditor. Introducing an extra layer of complexity might be excessive for Nova, considering it's an admin panel used by trusted service admins.
I'd appreciate hearing your opinion and any ideas you may have on this matter.
when intercepting the post request for the resource create one could insert js code into the body to run when the resource is viewed. for example when you insert something like
XSS
in the ckeditor body post request.