FCK Editor Question

This is an open forum for any mojoPortal topics that don't fall into the other categories.

This thread is closed to new posts. You must sign in to post in the forums.
1/25/2005 3:14:12 AM
Total Posts 10

FCK Editor Question

Since you have implemented the FCK Editor as the main editor now, are you doing any checking for possible hazardous code?  My own experience is that i've had to turn off automatic page validation to get it to submit correctly, but the only time I've used it is inside a login section, where I know the users are not going to be hostile.  Since this is open for anyone, how did you get around the problem?
1/25/2005 5:36:50 AM
Total Posts 18439

Re: FCK Editor Question

Good question, security is always a concern.

Currently mojoPortal is using version 2 rc1 of FCKeditor, rc2 is available but I'm inclined to wait for the final release to change it.

As you note, one must turn off the built in validation because posting back html content is potentially malicious. I don't currently see any potential server side threats other than possibly through the image upload mechanism. I supose it is currently possible for some kind of client side exploit to be added to page content using javascript.  If you see any other potential issues please elaborate.

Things I've done so far toward security:

  • no dynamic sql statements are used, all data access uses either stored procedures or paramterized queries so I think we are safe from sql injection attacks.
  • presumably users of the blog and html content modules are trusted users
  • forum users may in some cases be anonymous so image uploads are disabled in the editor for the forums

Things I plan to do but haven't done yet:

  • extra security checks in the image upload code
  • use regular expressions to remove any javascript that may be included in a post

In my view security is an ongoing process. If you see any other holes or potential holes in the security that need plugging please let me know.

You must sign in to post in the forums. This thread is closed to new posts.