Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

TinyMce protection against cross site scripting

Tags:

java

sql-injection

tinymce

We are planning to use TinyMce in a JSP.

We have a standard security filter which keeps track of input data from forms. It identifies insecure code input attempting any intrusions/cross site scripting.

My questions are as follows:

  • When using tinyMce are there any third party libraries (paid or open source) which would help scan and identify for any insecure code attempting cross site scripting?

(I found one link in StackOverflow mentioning a PHP library, but I was looking for something in Java.)

  • If we do not have any way to secure Tinymce, then what is the general design consideration that has to be taken to make it as secure as possible?
like image 523
kensen john Avatar asked Jun 02 '11 18:06

kensen john

People also ask

What is the defense against cross-site scripting?

Content security policy (CSP) is the last line of defense against cross-site scripting. If your XSS prevention fails, you can use CSP to mitigate XSS by restricting what an attacker can do. CSP lets you control various things, such as whether external scripts can be loaded and whether inline scripts will be executed.

What is a way to not prevent cross-site scripting?

To protect most from XSS vulnerabilities, follow three practices: Escape user input. Escaping means to convert the key characters in the data that a web page receives to prevent the data from being interpreted in any malicious way. It doesn't allow the special characters to be rendered. Validate user input.

Is TinyMCE secure?

TinyMCE in itself can not be insecure, it would be completely impossible for any exploit to exist in TinyMCE that would allow anyone to hack your blog/cms or similar by injecting XSS contents since it by it self can't modify the contents of the site. The server side scripts like PHP/.

Which is the best method to protect your website from XSS cross-site scripting?

Use the right META tag The benefit to using this meta tag is that it will greatly reduce the number of potential forms that an XSS script injection can take.

1 Answers

SQL injection should be something you worry about in your data layer, rather than your front-end. If you're using the proper techniques to prevent SQL injection when you insert the data into your database, you shouldn't have to worry about doing anything with TinyMCE, or any other part of your front-end code.

Cross-site scripting attacks, on the other hand, are a different story. The best strategy for preventing cross-site scripting attacks is generally to HTML-Encode everything that you don't produce in your front-end layer. However, since you're using TinyMCE, I'm guessing that you want to allow user-generated HTML to appear on your site. In that case, you'll want to look up "HTML Sanitizing."

Here are a couple of links to start you off:

  • Libs for HTML sanitizing
  • How to sanitize HTML code in Java to prevent XSS attacks?

You can decide whether you prefer to sanitize the HTML before saving it to the database, after retrieving it from the database, or both. There are pros and cons to each strategy.

like image 81
StriplingWarrior Avatar answered Oct 20 '22 05:10

StriplingWarrior
Sign in to Comment

Related questions

JAX-RS with Jersey: Passing form parameters to PUT method for updating a Resource
Passing construction to super class
Recommender system: simple user-based collaborative filtering to evaluate with precision and recall
Concurrency problems in JTable
Is there a Eclipse plugin for Spring JDBCTemplate code generation? [closed]
Java Socket creation takes more time
How to provide relative path in File class to upload any file? [duplicate]
How to show page generation stats in Grails
mvn test java.lang.OutOfMemoryError: unable to create new native thread
How do I force Windows line endings in Java app?
How to extract images from Thumbs.db in Java?
RegEx to read multiple parameters of unknown multiplicity
How do I configure Google-Guice using a generic interface?
MessageFormat header/footerFormat how to change Font for JTable printing
What is the use of Collections.EMPTY_MAP, EMPTY_LIST, EMPTY_SET
xstream errors for serializing & deserializing
Debugging an SWT application causes all GTK application to freeze
determine version of microsoft office with java
Hibernate date don't save the milliseconds
How to read properties file placed outside war?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!