-
Notifications
You must be signed in to change notification settings - Fork 637
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Configuration to sanitize <script> tags in CMS content #906
Comments
Hi @chiubaka It's been a while since I looked into this, but you can change default options for wysiwyg by overwriting this file: https://github.com/comfy/comfortable-mexican-sofa/blob/master/app/assets/javascripts/comfy/admin/cms/wysiwyg.js I'm a bit surprised that i doesn't remove script tags. Seems like it should not allow those by default: https://github.com/comfy/comfortable-mexican-sofa/blob/master/app/assets/javascripts/comfy/vendor/redactor.js#L196 |
Hey @GBH, Thanks for your response, and apologies for the delay in mine. I slightly mis-spoke in describing the issue here. Here's the thread between our security consultant and me illustrating the attack vector: So, you're correct, the WSIWYG widget is attempting to sanitize the input, however, it is possible to circumvent this. The measure that really needs to be in place here is the CMS itself escaping the scripts before the content is pulled from the DB and displayed on the page. Or really just some form of backend protection here. Right now security of the system depends on a well-behaved client. I don't suppose there are any existing options lying around to do this? Best, |
One thing I can suggest is to add a |
Interesting. A Are these changes you'd feel comfortable with finding their into the main codebase? |
Tried asking about this on Gitter, but no response...
I run a site that uses this gem as a simple CMS system. We had a routine security review a few weeks ago, and a security expert flagged that he can create pages with arbitrary scripts by entering script tags into the WSIWYG code.
While I'm aware that Comfy has a separate field in layouts allowing admins to add scripts to pages, the security expert's concern is that leaving things this way could leave the system vulnerable to an administrator unwittingly creating an exploitable situation without having meant to.
Expected behavior
Script tags in WSIWYG or other CMS text content should be escaped or sanitized. OR a configuration option should be provided to allow for this.
Actual behavior
Script tags are rendered as is, allowing for running of arbitrary scripts in a CMS page.
The text was updated successfully, but these errors were encountered: