Menu
We are planning to use TinyMce in a JSP.
We have a standard security filter which keeps track of input data from forms. It identifies insecure code input attempting any intrusions/cross site scripting.
My questions are as follows:
(I found one link in StackOverflow mentioning a PHP library, but I was looking for something in Java.)
523
Content security policy (CSP) is the last line of defense against cross-site scripting. If your XSS prevention fails, you can use CSP to mitigate XSS by restricting what an attacker can do. CSP lets you control various things, such as whether external scripts can be loaded and whether inline scripts will be executed.
To protect most from XSS vulnerabilities, follow three practices: Escape user input. Escaping means to convert the key characters in the data that a web page receives to prevent the data from being interpreted in any malicious way. It doesn't allow the special characters to be rendered. Validate user input.
TinyMCE in itself can not be insecure, it would be completely impossible for any exploit to exist in TinyMCE that would allow anyone to hack your blog/cms or similar by injecting XSS contents since it by it self can't modify the contents of the site. The server side scripts like PHP/.
Use the right META tag The benefit to using this meta tag is that it will greatly reduce the number of potential forms that an XSS script injection can take.
SQL injection should be something you worry about in your data layer, rather than your front-end. If you're using the proper techniques to prevent SQL injection when you insert the data into your database, you shouldn't have to worry about doing anything with TinyMCE, or any other part of your front-end code.
Cross-site scripting attacks, on the other hand, are a different story. The best strategy for preventing cross-site scripting attacks is generally to HTML-Encode everything that you don't produce in your front-end layer. However, since you're using TinyMCE, I'm guessing that you want to allow user-generated HTML to appear on your site. In that case, you'll want to look up "HTML Sanitizing."
Here are a couple of links to start you off:
You can decide whether you prefer to sanitize the HTML before saving it to the database, after retrieving it from the database, or both. There are pros and cons to each strategy.
81
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
