My situation is a little bit different, I’m using CKEditor for both editing and displaying things, and the submitted string will only be shown inside CKEditor, nowhere else.
I tried this XSS:
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
I added this to the database directly from backend, not by CKEditor since I know it doesn’t matter what CKEditor does before going into the database as the attacker could always send some raw http request without dealing with CKEditor.
To my surprise CKEditor shows me this:
{cke_protected_1}">
So CKEditor is doing something to prevent XSS, and I realized that the XSS security could be achieved from client side.
My question is, how good is CKEditor doing and if it’s reliable if I only use no-attribute tags plus
<a><img><table><span><pre>
(<a> and <table> could be disabled if it makes things easier)
PS: The CKEditor is using default settings.
You should protect against XSS on the server side. If you have this possibility, just strip any unsafe data before saving it.
Note that wysiwyg editors must protect somehow JavaScript code included in edited HTML, in order to not destroy edited contents, which includes e.g. hiding in Wysiwyg mode
<script>tags or changingonclickevent handlers into “data-” attributes.{cke_protected_1} is a result of an attempt to hide the <script> tag by CKEditor, that did not work entirely properly because of a bit “hackish” HTML taken from XSS Cheat Sheet.
The partial built-in protection in wysiwyg editors should not be considered as a replacement for a server side protection against XSS.