1 Topic by keisko

  • keisko
  • Member
  • Offline
  • Registered: 2011-07-08
  • Posts: 3

Topic: Tinymce Security!

Hello there,

TinyMCE in itself can not be insecure, it would be completly impossible for any exploit to exist in TinyMCE that would allow anyone to hack your blog/cms or similar. It is important to understand that TinyMCE is PURE Javascript, and is only run in the context of the browser of the user who is using the page. Any exploit has to exist in the server side logic.

This also means you should not assume that TinyMCE is secure, if you implement TinyMCE on a public page where anyone has access and can public the content, you are bound to run into security issues. Most systems have TinyMCE behind some form of login and it makes any potential security issues void, unless you do not trust the ppl using TinyMCE inside your system.

We requires JAvascript must be enabled on our site.. so tinymce itself secure, shall we still parse input?

2 Reply by Felix Riesterer

  • Felix Riesterer
  • SPAM hunter
  • Offline
  • From: Germany
  • Registered: 2005-12-30
  • Posts: 6,544

Re: Tinymce Security!

You didn't get it, did you? The "attack" comes from the posted data. You can't be sure that the data comes from TinyMCE or not. YOU.MUST.ALWAYS.SANITIZE.USER-SUBMITTED.DATA.ON.THE.SERVER.

Greetings from Germany,

Felix Riesterer.
(-> about me and this forum <-)

Felix Riesterer's Website

3 Reply by keisko

  • keisko
  • Member
  • Offline
  • Registered: 2011-07-08
  • Posts: 3

Re: Tinymce Security!

I got it.. I'm sure.. The data comes from TinyMCE, there is no other way, so shall I still do anything or TinyMCE security enough..

4 Reply by Felix Riesterer

  • Felix Riesterer
  • SPAM hunter
  • Offline
  • From: Germany
  • Registered: 2005-12-30
  • Posts: 6,544

Re: Tinymce Security!

keisko wrote:

I got it.. I'm sure..

God bless you.

keisko wrote:

The data comes from TinyMCE, there is no other way

Oh yes, there is. Just imagine this situation: My Firefox has the Firebug addon installed. With this I can manipulate many JavaScript-controlled things, also TinyMCE. In fact I can disable TinyMCE and manipulate the contents of your textarea as I see fit. Then after I've modified the code I'll submit the form and send my manipulated data to your server.

BANG!! You just got attacked.

keisko wrote:

so shall I still do anything or TinyMCE security enough..

Do what you will.

Greetings from Germany,

Felix Riesterer.
(-> about me and this forum <-)

Felix Riesterer's Website

5 Reply by keisko

  • keisko
  • Member
  • Offline
  • Registered: 2011-07-08
  • Posts: 3

Re: Tinymce Security!

'There is no other way to send data'.. I meant, we use Ajax Post system to post data with a security hash.. Disabling javascript will not do anything if you press on submit button.

6 Reply by Afraithe

  • Afraithe
  • Administrator
  • Offline
  • From: SkellefteĆ„, Sweden
  • Registered: 2005-01-03
  • Posts: 2,644

Re: Tinymce Security!

Amazing, that's all I have to say.

Afraithe
TinyMCE Developer
Moxiecode Systems

Afraithe's Website

7 Reply by spocke

  • spocke
  • Administrator
  • Offline
  • From: Sweden, SkellefteĆ„
  • Registered: 2004-11-25
  • Posts: 14,357

Re: Tinymce Security!

If the server is insecure it doesn't matter what you have on the client side. Secure your server and your problems are solved.

Best regards,
Spocke - Main developer of TinyMCE

spocke's Website