xss prevention with ckeditor - xss

My situation is a little bit different, I'm using CKEditor for both editing and displaying things, and the submitted string will only be shown inside CKEditor, nowhere else.
I tried this XSS:
<IMG """><SCRIPT>alert("XSS")</SCRIPT>">
I added this to the database directly from backend, not by CKEditor since I know it doesn't matter what CKEditor does before going into the database as the attacker could always send some raw http request without dealing with CKEditor.
To my surprise CKEditor shows me this:
{cke_protected_1}">
So CKEditor is doing something to prevent XSS, and I realized that the XSS security could be achieved from client side.
My question is, how good is CKEditor doing and if it's reliable if I only use no-attribute tags plus
<a><img><table><span><pre>
(<a> and <table> could be disabled if it makes things easier)
PS: The CKEditor is using default settings.

You should protect against XSS on the server side. If you have this possibility, just strip any unsafe data before saving it.
Note that wysiwyg editors must protect somehow JavaScript code included in edited HTML, in order to not destroy edited contents, which includes e.g. hiding in Wysiwyg mode <script> tags or changing onclick event handlers into "data-" attributes.
{cke_protected_1} is a result of an attempt to hide the <script> tag by CKEditor, that did not work entirely properly because of a bit "hackish" HTML taken from XSS Cheat Sheet.
The partial built-in protection in wysiwyg editors should not be considered as a replacement for a server side protection against XSS.

Related

Jquery inside of CFDiv

I have a page that includes a CFDiv tag that displays content from another file.
<cfajaximport tags="cfwindow,cfform,cflayout-tab,cfdiv">
<cfoutput><cfdiv class="vehicle-log" bind="url:trip_tab.cfm?ticketid=#ticketnum#" ID="theDiv" bindOnLoad = "true"/></cfoutput>
The external file has jquery tabs and jquery datepicker. None of the jquery seems to work in the CFDiv. If I call the external page by itself, everything works fine.
The reason I'm using a CFDiv here (I know most people hate cf layout stuff) is because the external page has a form element that I can submit and add to data to the db without refreshing the whole parent page. This is the only way I know how to do this.
Anyways, does anyone know how to get my jquery elements to work in a CFDiv?
Thanks.
Brian
You've got more than one problem here. First, you are using <CFDiv>, which under the covers is using portions of a very old version of ExtJS. So you are likely going to run into some headaches with mixing ExtJS and jQuery (and jQuery plugins).
Second, since <CFDiv bind="..."> uses AJAX to load the external HTML window content, you would need to change your JavaScript strategy. <CFDiv> will not pull in and execute the JavaScript code (including jQuery) from the external page (trip_tab.cfm), unless you only use CF UI widgets inside that external page (then the <cfajaximport> tag handles that for you). It only loads the HTML DOM content. You will have to move any <script> and <link rel="stylesheet"> tags and custom JavaScript/jQuery code and CSS into the parent page (the page that has the <CFDiv> tag in it). Then you'll have to find a way to listen for the AJAX event (completion of loading the external page) and call the custom JavaScript/jQuery code.
As others suggested in the comments above, using <CFDiv> is only making things harder for you. If you switched to using one JavaScript library for your UI components (like jQuery/jQueryUI/jQuery plugins), and put all of the necessary code into your main page, what you desire can be accomplished fairly easily.
I found a simple work around... CFdiv creates what feels like a seperate browser window, but its not actually one. So it can't pull Javascript files in via:
<script type="text/javascript" src="/js/scripts/jquery-1.11.1.min.js"></script>
The above is telling the browser "go fetch this file" - but since your CFdiv is not really a browser (Its a controversial permutation of CFajax as described here) it doesn't do it.
Technically, the above makes the browser include it into the page, just as if you cfincluded it , or just pasted the Javascript in there.
So convert the above to:
<script type="text/javascript"><cfinclude template="/js/scripts/jquery-1.11.1.min.js"></script>
And included javascript will work! (provided there aren't any conflicts with cfajax et al)
I had a similar problem in that my jquery was not working, and doing this fixed it.

Should I remove all CSS while sending HTML emails in Django?

I have a Django-powered WebApp that occasionally needs to send pretty HTML emails to my users.
I'm learning how to send HTML emails using Django. Here are the instructions I'm following. They are quite simple and good: http://www.djangofoo.com/250/sending-html-email
By following these instructions I'm able to send HTML emails. However, the emails I want to send should share the styles and look-and-feel of my webApp of course. Each Django template on my website includes a bunch of CSS at the top that ensures a consistent look. However, when I simply send that template as and HTML emails, the styles do not kick in in the email. Does CSS not work while sending HTML emails through Django?? Do I need to manually and explicitly set the fonts, colors, bold, italics, of each element in the HTML template I would like to use for the email? How do other people do this?
CSS is very difficult to get right with html emails... The general rule is to use inline styles and try to stay as basic as possible.
This SO question has some good resources in it for guidance on designing html emails.
Instead of manually setting all styles in the email, I tend to use the same CSS styles as the site if I want emails that should be pretty. However, emails need the styles inlined, and for that I use the inlinestyler module, which will take the HTML and the CSS files and set the relevant styles inline before sending the email.
There are still some things to think about, if you are careless you get gigantic emails because you use big style settings everywhere, and many email clients will not do positioning correctly etc. so you may have to make custom CSS styles for your emails anyway. But even if you do, inlinestyler is useful, as you get much more maintainable emails with the CSS and the HTML separate.
CSS is supported by some email clients, and not supported by others. Some clients support inline styles and others do not. You can see a fairly verbose list here. Most of what can be done with HTML/CSS can be done with inline styles and (gasp) table layouts, but some of it is simply impossible. Tools like the one #Lennart mentioned are invaluable, but "just inline everything" doesn't accommodate for a number of issues. (Pseudo classes comes to mind as a major point (a:hover is supported by Outlook, while .classname:hover is not), as does background image (there is a hack to make that work though)).
I guess that my basic point is that you can try to shortcut the process by using inlinestyler or similar, but you are going to need to keep a separate set of files, and you'll definitely be doing a series of manual tweaks.
I think you will find that email clients will not retrieve the css.
Instead, in your email, put the contents of your CSS files directly into the email, with <style> and </style> around it.

ColdFusion how to Prevent XSS Attacks in a WYSIWYG

I have a WYsIWYG editor in my coldfusion app and need to prevent XSS Attacks. Is there any Coldfusion ways to strip out all script type attacks?
http://blog.pengoworks.com/index.cfm/2008/1/3/Using-AntiSamy-to-protect-your-CFM-pages-from-XSS-hacks
http://code.google.com/p/owaspantisamy/downloads/list
The main question I would ask is what is this WYSIWYG for? Many WYSIWYG's allow you to define specific tags to have stripped out of the code.
For instance you can have TinyMCE strip out the script tags with
http://wiki.moxiecode.com/index.php/TinyMCE:Configuration/invalid_elements
This unfortunately does not solve your problem since all client side data form submissions are circumventable. If you must use a WYSIWYG ,then what you really need to make sure to do is to cover all your bases on the form's validation and display. You can strip out all script tags and make sure to remove any event attributes and javascript code in links href attributes.
If it is acceptable to only allow a specific subset of tags I would suggest either using BBML, BBCode, or Markdown.
http://www.depressedpress.com/Content/Development/ColdFusion/Extensions/DP_ParseBBML/Index.cfm
http://en.wikipedia.org/wiki/BBCode
http://sebduggan.com/projects/cfxmarkdown
You can use TinyMCE as a WYSIWYG for BBCode http://tinymce.moxiecode.com/examples/example_09.php and StackOverflow uses a great markdown editor http://github.com/cky/wmd
Here is some good info if you would like to render BBCode in Coldfusion
http://www.sitepoint.com/forums/showthread.php?t=248040
Something to consider is that while stripping the tags out in the browser with TinyMCE is a good idea, it makes a fatal assumption that the user is going to be submitting content via the browser. Anything that you do in the browser needs to be duplicated on the server because attackers can bypass any validation that happens in the browser.
With that said check this article: http://www.fusionauthority.com/techniques/3908-how-to-strip-tags-in-three-easy-lessons.htm which spells this out in more detail than I could here. Basically it discusses using regex and UDFs to strip tags out easily. The last example is particularly important... check it out.
To convert these tags <> or use HTMLEditformat function.

XSS Prevention, Tidy vs Purifier?

Greetings,
I'm trying to prevent XSS and improper html from input fields using CKEditor (a javascript WYSIWYG editor).
How should I filter this data on the server side? The two options I'm comparing are PHP Tidy and HTML Purifier. I'm interested in speed, security, and valid nesting.
Edit:
According to HTML Purifier, Tidy does not prevent XSS. So, let me specify that I would first pass the user input through
strip_tags($input,'<img><a><li><ol><ul><b><br>'); before passing to Tidy
HTML Purifier restricts the input beyond what strip_tags can. strip_tags would not strip JavaScript from the attributes of the tags you are allowing. I definitely recommend using HTML Purifier. HTML Purifier is not fast, but add/edit executions are usually less frequent than views so performance is less of an issue.

How do use fckEditor safely, without risk of cross site scripting?

This link describes an exploit into my app using fckEditor:
http://knitinr.blogspot.com/2008/07/script-exploit-via-fckeditor.html
How do I make my app secure while still using fckEditor? Is it an fckEditor configuration? Is it some processing I'm supposed to do server-side after I grab the text from fckEditor?
It's a puzzle because fckEditor USES html tags for its formatting, so I can't just HTML encode when I display back the text.
Sanitize html server-side, no other choice. For PHP it would be HTML Purifier, for .NET I don't know. It's tricky to sanitize HTML - it's not sufficient to strip script tags, you also have to watch out for on* event handlers and even more, thanks to stupidities of IE for example.
Also with custom html and css it's easy to hijack look and layout of your site - using overlay (absolutely positioned) which covers all screen etc. Be prepared for that.
The bug is not actually FCKeditors fault. As long as you let users edit HTML that will be displayed on your web site they will always have to possibility to do harm unless you check the data before you output it.
Some people use HTMLencoding to do this, but that will destroy all the formatting done by FCKeditor, not what you want.
Maybe you can use the Microsoft Anti-Cross Site Scripting Library. Samples on MSDN
Is it some processing I'm supposed to do server-side after I grab the text from fckEditor?
Precisely. StackOverflow had some early issues related to this as well. The easiest way to solve it is to use an HTML library to parse user's input, and then escape any tags you don't want in the output. Do this as a post-processing step when printing to the page -- the data in the database should be the exact same as what the user typed in.
For example, if the user enters <b><script>evil here</script></b>, your code would translate it to <b><script>evil here</script></b> before rendering the page.
And do not use regular expressions for solving this, that's just an invitation for somebody clever to break it again.
FCKEditor can be configured to use only a few tags. You will need to encode everything except for those few tags.
Those tags are: <strong> <em> <u> <ol> <ul> <li> <p> <blockquote> <font> <span>.
The font tag only should have face and size attributes.
The span tag should only have a class attribute.
No other attributes should be allowed for these tags.
I understand the DONTS. I'm lacking a DO.
Is use of FCKEditor a requirement, or can you use a different editor/markup language? I advise using Markdown and WMD Editor, the same language used by StackOverflow. The Markdown library for .NET should have an option to escape all HTML tags -- be sure to turn it on.
XSS is a tricky thing. I suggest some reading:
Is HTML a Humane Markup Language?
Safe HTML and XSS
Anyway, my summary is when it comes down to it, you have to only allow in strictly accepted items; you can't reject known exploit vectors because or you'll always be behind the eternal struggle.
I think the issue raised by some is not that Fckeditor only encodes a few tags. This is a naive assumption that an evil user will use the Fckeditor to write his malice. The tools that allow manual changing of input are legion.
I treat all user data as tainted; and use Markdown to convert text to HTML. It sanitizes any HTML found in the text, which reduces malice.