I have just implemented CKEditor for rich text entry in my app and I am thinking that the ability of a user to enter anything could pose a security threat.
At the moment, I have the simplest implementation – CKEditor sits in a form, input is saved to the database as part of update_attributes, and other people can view the output as html_safe.
Somehow, the above doesn’t sound good to me, even though it works. Am I correct in thinking there are risks to the above approach? Is there a safer way to do this to block an attack through the editor?
You should always take care of sanitizing a users input. In your case, by stripping all unwanted HTML tags (like , for example) regardless of where it came from.
html_safeis not meant to strip HTML or sanitize for you. See Yehuda Katz’ article onActiveSupport::SafeBuffer. It is meant to prevent “unsafe” markup by marking a String as safe, if it is (and encoding it to HTML entities otherwise, to make it safe).There are sanitation helpers in
ActionView::Helpers::SanitizeHelperthat you can use to sanitize what is displayed, but you might want to sanitize it before it enters the database.If you strip away the possibility of inserting CSS, Javascript or an iframe, you should be fine. If you’re paranoid about what your users do, also take away
<img>tags. And if you’re really paranoid, you should consider using Markdown, Textile or others.