-
Notifications
You must be signed in to change notification settings - Fork 106
Stored Cross-site Scripting (XSS) in page creation #835
Comments
Thanks for the report :) but we explicitly allow all the HTML tags and attributes in the editor. You can decide if you want to render the content in raw (twig filter). We do this because we don't see the big problem here because the content-manager (logged in system user) should be "competent" enough to avoid it if he doesn't want it. But we are planning in a future release to make this behavior configurable - there are no concrete plans currently. /cc @chirimoya @danrot please add your thoughts about this topic |
I also think that this is the job of the template developer. Especially because I have already seen textareas being used to copy small javascript snippets (e.g. Youtube embed codes). |
I've been running into issues because the code is not only rendered unsanitized on the webpage/preview, but also in the block preview in the actual edit page. |
@floatingbits only the ckeditor run JS codes but there it is run inside an iframe and should not crash any backend components. and for embed codes its recommend use textareas and not texteditors. So update to 1.6 should fix it for textareas. |
for @prodigysml if you don't want to output something on the website you maybe need to create a custom twig extension using something like http://htmlpurifier.org. @floatingbits thats good. I will know close the issue as it seems to be fixed, else feel free to reopen it or add a comment. |
Actual Behavior
Sulu saves the code unsanitised and allows arbitrary execution of javascript.
Expected Behavior
Sulu should remove the javascript payload as it does for most others.
Steps to Reproduce
<p><iframe src="javascript:alert(1)"></iframe></p>
Possible Solutions
Check iframe src prior to adding to the page.
The text was updated successfully, but these errors were encountered: