FCKEditor with Rails Security Vulnerability
https://stackoverflow.com/questions/9926560
-
27-05-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian题
I am using FCKEditor in my Ruby on Rails Application. Users add blog posts using FCKEditor.
Then I display blog posts using
@blog.body.html_safe
I know FCKEditor is escaping any javascript code but what if a user posted a request with direct parameters and setting blog post body including some javascripts. This may be security Vulnerability.
Any idea how can I used FCKEditor with Rails safe?
解决方案
We can use white list HTML sanitizer to escape all tags except some formatting tags.
不隶属于 StackOverflow
