You are not logged in.
#1 2010-02-09 11:12:15
False security issues
Over the years there have been a number of claims that there are security issues with TinyMCE, there is one going around twitter right now, however this is false, we get blaimed when some 3rd party file manager, module or plugin tied to X CMS has security issues or perhaps the CMS itself has SQL injection problems or has XSS issues.
I will say it again.
TinyMCE is pure Javascript and thus can not contain any exploit since user can manipulate everything anyway.
For example, if you have a textarea and have not secured against SQL injections when saving data from the textarea, it doesn't matter if TinyMCE is applied to that textarea or not, you are still screwed.
Javascript (or TinyMCE only) can be manipulated and turned off at any point by the client, everything is rendered and executed client side and can thus be manipulated by the client in any way. You need to secure your server, thats where the control is.
There are of course Javascript exploits as well, but that isn't tied to TinyMCE either, but the browser and Javascript in general.
Edit: There is also a quite comprehensive text regarding security in our wiki, check it out.
So now you know.
Afraithe
TinyMCE Developer
Moxiecode Systems
Offline
#2 2010-02-09 15:15:24
- Felix Riesterer
- Administrator
- From: Germany
- Registered: 2005-12-30
- Posts: 4703
- Website
Re: False security issues
It is sad to see that you guys even have to react to such senseless babble... Just as Einstein has said:
Einstein wrote:
Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.
Offline
#3 2010-02-09 15:58:21
Re: False security issues
We have seen these false reports for years. Just because a file within a directory called tinymce has a security issue doesn't mean that it's part of the product. It's like saying that Linux has a security issue since an PHP page has SQL injections and it's hosted on a Linux machine. Sometimes you need to set the record straight.
Best regards,
Spocke - Main developer of TinyMCE
Offline
#4 2010-02-10 23:35:31
Re: False security issues
Thank you, very good news that TinyMCE can not contain any exploit!
Maybe you should make it sticky?
Last edited by Sword (2010-02-10 23:36:20)
Offline
#5 2010-02-20 04:17:03
- jmanico
- Member
- Registered: 2008-06-16
- Posts: 3
Re: False security issues
Afraithe,
I am a religious user of TinyMCE - awesome product!
When allowing a user to submit HTML that might be viewed by other users, you are facilitating possible XSS! It's crucial to have a policy engine on the server that validates that users are submitting "SAFE HTML that adheres to a strict policy specific to your application - and that user driven HTML does not contain malicious javascript.
For this purpose, I use OWASP AntiSamy - http://www.owasp.org/index.php/Category … my_Project another open source project
The OWASP AntiSamy project is a few things. Technically, it is an API for ensuring user-supplied HTML/CSS is in compliance within an application's rules. Another way of saying that could be: It's an API that helps you make sure that clients don't supply malicious cargo code in the HTML they supply for their profile, comments, etc. that gets persisted on the server. The term malicious code in terms of web applications is usually regarded only as JavaScript. Cascading Stylesheets are only considered malicious when they invoke the JavaScript engine. However, there are many situations where "normal" HTML and CSS can be used in a malicious manner.
So WHENEVER you allow a user to submit HTML to your site with TinyMCE, make sure you validate that HTML!!! Strictly! Like Afraithe is saying, anything can be manipulated on the client - so validate on the server - and validating HTML is not easy. So consider a project like OWASP AntiSamy on the server when you use TinyMCE on the client.
Offline
#6 2010-02-20 08:05:42
- Felix Riesterer
- Administrator
- From: Germany
- Registered: 2005-12-30
- Posts: 4703
- Website
Re: False security issues
jmanico wrote:
validating HTML is not easy
Why not? If you remove any JavaScript stuff, the remaining code should be XSS-save... or am I wrong?
Offline
#7 2010-02-20 12:39:31
Re: False security issues
We have written a XSS HTML validator that we might release as a TinyMCE package it takes care of all the common XSS patterns. But I must say it is a bit tricky since you can have JS in style attributes, events, urls and all these can be entity encoded or url encoded or even padded with null bytes.
Best regards,
Spocke - Main developer of TinyMCE
Offline
© 2003-2010