Replies: 8 comments
-
Editor.js sanitizes the HTML client-side. This is not very good, as you should never trust client. Skilled users can manipulate this and send you any data they want (eg.: removing the sanitization part client-side, and sending you raw HTML - security risk). Always make sure to double-check it in the backend and sanitize it, if it isn't (maybe a check to see if it contains some HTML characters, like |
Beta Was this translation helpful? Give feedback.
-
Yes, but my understanding is that Editor.js sanitizes on display. Is this correct? If it is, then e.g. a Also, see the second bullet point in the OP. |
Beta Was this translation helpful? Give feedback.
-
If you have no intention of storing whatever Editor.js creates server-side, then I agree with your hypothesis. Otherwise, surely the issue here is the complete lack of protection from incoming attack vectors, not client-side rendering ones? |
Beta Was this translation helpful? Give feedback.
-
Client side is fine, who would want to hack themselves - it's pointless to hack yourself, eg: render script without ever showing it to other users. My point was looking at server-side implementation. Example: When the comment is rendered along with the script, everytime you load the page with that comment, you are exposed to a risk. So, as for the original question "Is it OK for an API to not sanitize Editor.js documents?", the answer is - no, it's not okay. I agree with all that you said, I wrote this for whoever else might be looking at this - please, always also sanitize server-side, and don't trust clients. |
Beta Was this translation helpful? Give feedback.
-
Yup, agree 100% @CWKevo - your example is showing a client-side vector, but wow, the sheer thought of saving un-sanitized data anywhere server-side chills me to the bone. The potential for having your server compromised is off the charts. |
Beta Was this translation helpful? Give feedback.
-
Surely this is not the case if Editor.js does indeed sanitize on render? I.e., if Editor.js either removes the
The server? How so? Here's what the server is doing (I assume this goes for most servers accepting and returning Editor.js documents):
I don't see how any of this that can possibly put the server at risk. Can you give an example of how the server can be compromised by a (deliberately and maliciously crafted) Editor.js document? |
Beta Was this translation helpful? Give feedback.
-
|
Beta Was this translation helpful? Give feedback.
-
Thanks, this is exactly the kind of clarification I needed.
Yes, but in our case most services do accept Editor.js user input. (We have mostly public API microservices, few pure back-end ones). |
Beta Was this translation helpful? Give feedback.
-
I am a back-end developer focusing on web APIs for our front-end. The front-end uses Editor.js.
One way to look at it, from an API perspective, is that the API does not receive and return HTML to be displayed as-is on the client. Instead, the API receives and returns a custom JSON format. Sure, some parts of the JSON contain HTML. But the JSON can't be displayed directly as HTML; it requires custom front-end tooling (e.g. the Editor.js editor) to convert it to HTML and insert it into the DOM. And it is the tools that perform this conversion that are ultimately responsible for sanitizing the HTML before inserting it into the DOM.
Of course, I know that the back-end can also sanitize HTML. Security in depth. But it comes with a cost which in this case seems to be too great. Consider the following:
In light of the above, it seems to me that not sanitizing Editor.js documents in the back-end is an acceptable risk.
Please let me know if you agree or disagree.
Beta Was this translation helpful? Give feedback.
All reactions