HTML Injection Security Warning for Rich Text

HTML Injection Security Warning for Rich Text

  

In my application, we are using Ck Editor to store rich text content. While displaying that content, we set the we set the Escape content for expression to No and it works fine. But after Platform 10 Migration, it started displaying the HTML Injection Warning. 


Please find attachment for more information.

It's just a warning, and your app will work as before the migration.

On the other side, it's a security warning, and if you ignore it you will face a risk of being attacked using HTML injection. CKEditor allows users to produce rich-formatted text as HTML fragments, and you can use an unescaped expression to inject this content on your pages. However, if the HTML fragment contains malicious images or scripts, you will be injecting those malicious contents as well.

A good rule of thumb for web development is to never trust content produced by the user. You can use the Sanitization API to clean malicious content from your HTML fragment, before injecting it on the screen.

leonardo.fernandes wrote:

It's just a warning, and your app will work as before the migration.

On the other side, it's a security warning, and if you ignore it you will face a risk of being attacked using HTML injection. CKEditor allows users to produce rich-formatted text as HTML fragments, and you can use an unescaped expression to inject this content on your pages. However, if the HTML fragment contains malicious images or scripts, you will be injecting those malicious contents as well.

A good rule of thumb for web development is to never trust content produced by the user. You can use the Sanitization API to clean malicious content from your HTML fragment, before injecting it on the screen.

Hi leonardo,

Any solution to resolve the warning because in my application warning count is quite high. 

Regarding second point, we already used Sanitization API to clean malicious content from your HTML fragment, before injecting it on the screen.

Regards,

Sunil Mane

Solution

Hello Sunil. If you're using the Sanitization API, then the warning should disappear automatically.

If there's a warning that somehow you cannot make it go away, then you can right-click on it and hide it.

Solution