-
Notifications
You must be signed in to change notification settings - Fork 2
Security
Sanitization, XSS protection, and security best practices for Neiki's Editor.
Neiki's Editor is a rich text editor — users can paste content from any source, including web pages, documents, and potentially malicious sites. Without proper sanitization:
-
XSS (Cross-Site Scripting) — injected
<script>tags can steal cookies, hijack sessions, or deface pages -
Event handler injection —
onclick="maliciousCode()"on any element -
Protocol injection —
href="javascript:..."in links
Always sanitize HTML on the server before saving to a database or rendering to other users.
Neiki's Editor sanitizes all HTML that enters the editor — from autosave restoration, textarea content, setContent(), and insertHTML(). The built-in sanitizer:
- Strips dangerous tags:
<script>,<iframe>,<object>,<embed>,<form>, etc. - Removes event handler attributes:
onclick,onerror,onload,onmouseover, etc. - Removes
javascript:anddata:protocol URLs inhrefandsrcattributes - Uses a safe entity-decoding approach (regex-based, not
innerHTML-based) to prevent entity-encoding bypass attacks
Important
Client-side sanitization is a defense-in-depth measure. It does not replace server-side sanitization. Always validate and sanitize on the server.
The included PHP helper provides a sanitize() method:
require_once 'path/to/php/neiki-editor.php';
// Sanitize before saving to database
$cleanHTML = NeikiEditor::sanitize($_POST['content']);
$stmt = $pdo->prepare('UPDATE articles SET body = ? WHERE id = ?');
$stmt->execute([$cleanHTML, $articleId]);The PHP sanitizer strips:
- Dangerous tags (
<script>,<iframe>,<object>,<embed>,<form>,<input>, etc.) - Event handler attributes (
onclick,onerror,onload,onfocus,onblur, etc.) -
javascript:anddata:text/htmlprotocol URLs
The built-in sanitizer allows these HTML elements (content generated by the editor):
| Category | Tags |
|---|---|
| Structure |
p, div, span, br, hr
|
| Headings |
h1, h2, h3, h4, h5, h6
|
| Formatting |
strong, b, em, i, u, s, sub, sup, mark, code, pre
|
| Lists |
ul, ol, li
|
| Links |
a (with href, target, rel) |
| Media |
img (with src, alt, width, height), video, source
|
| Tables |
table, thead, tbody, tr, td, th (with colspan, rowspan) |
| Quotes | blockquote |
Note
For production use with strict requirements, consider using a dedicated server-side HTML sanitization library such as HTML Purifier (PHP), DOMPurify (JS), or Bleach (Python).
If your application uses a Content Security Policy, ensure the following are allowed for the editor to function:
Content-Security-Policy:
script-src 'self' https://cdn.neikiri.dev https://cdn.jsdelivr.net;
style-src 'self' 'unsafe-inline' https://cdn.neikiri.dev;
img-src 'self' data: blob: *;
Caution
'unsafe-inline' for style-src is required because the editor applies inline styles for font sizes, colors, and image dimensions. If your CSP disallows this, some formatting features will not work.
Autosave stores content in localStorage. Be aware:
- Content in
localStorageis not encrypted - It is accessible to any JavaScript on the same origin
- For sensitive content, disable autosave and use server-side saving instead
new NeikiEditor('#editor', {
// Don't use autosave for sensitive forms
// Use onSave/onChange to send to your encrypted backend
onSave: async function(content) {
await fetch('/api/save', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'X-CSRF-Token': getCsrfToken()
},
body: JSON.stringify({ content })
});
}
});Notable security fixes in Neiki's Editor:
| Version | Fix |
|---|---|
| 3.0.1 | Fixed polynomial regex risk in HTML code view — replaced with deterministic linear scan |
| 2.10.1 | Fixed XSS vulnerability in sanitizer's entity decoding — replaced innerHTML-based decoding with safe regex approach |
| 2.9.3 | Hardened autosave HTML sanitization; fixed unsafe modal value interpolation for link/image dialogs; guarded against prototype pollution (__proto__, constructor) |
| 2.9.4 | Reworked autosave storage key normalization to avoid polynomial regex on uncontrolled input; updated HTML sanitization parsing to avoid DOMParser.parseFromString
|
| ✅ | Server-side sanitization before saving to database |
| ✅ | CSRF tokens on all form submissions |
| ✅ |
imageUploadHandler validates file types server-side |
| ✅ | Content retrieved via getContent() sanitized before display to other users |
| ✅ | Autosave disabled for sensitive content |
| ✅ | CSP headers configured appropriately |
| ✅ | Using latest editor version (check Changelog) |
| 🔗 Integration Guide | PHP sanitization helper usage |
| 🧩 Advanced Features | Autosave configuration |
| 📋 Changelog | Security fix history |
Getting Started
Reference
Extending
Integration
Features & UI
Project