[CKEditor.Reactive] Stored XSS vulnerability on CKEditor version 4.14.0

Back to Forums

Danang Massandy

Solved

Question

Reactive

Forge

Security

Application Type

Reactive

Hi,

We found a vulnerability by adding this script in Source option.

<p>XssAttack</p>

I also found this article that recommends to upgrade the latest version of ckeditor 4.

How can we upgrade to latest version which is v4.19.0?

Thanks,

19 May 2022

Danang Massandy

Solution

Hi all,

I tried using Fábio Fantato's answer from this thread to upgrade the ckeditor resources to current latest version (4.19.0) and it was successful. Attached is the modified oml.

CKEditorReactive_edited.oml

24 May 2022

José Fábio Vieira

Staff

You can have all the security on the client-side but in the end, is not really secure!

I think the documentation of the component should be updated to force this security concern and awareness, because, you need to save the HTML in the database or somewhere else.

Before you save the HTML use the SanitizeHtml from Sanitization API

15 Jun 2022

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.

See the full guidelines