Mmm let me thinking about... I'd avoid ckeditor if sharing with untrusted users, it's not intended for that use http://www.google.es/search?hl=es&source=hp&q=ckeditor+xss
If you feel unsecure, don't worry, I know the most secure way of preventing XSS: google-caja http://code.google.com/p/google-caja/ You don't need ckedtor neither XML with sanitize, google-caja will do for you http://sites.google.com/site/io/secure-collaboration---how-web-applications-can-share-and-still-be-paranoid i think google-caja will be ship with web2py en the future On 1 jul, 21:44, MikeEllis <[email protected]> wrote: > Thanks for responding! > > The XML() helper is described in the online web2py book in section > 5.2. > > Basically, it prevents characters that are special to HTML from being > escaped in the output of other web2py helpers. The sanitize argument > tells XML() to escape all but a permitted set of tags and allowed > attributes. Massimo has some examples in the book of using XML() to > escape <script> tags to prevent javascript XSS attacks while allowing > innocuous markup to pass through unaltered. > > The myXML() wrapper I wrote adds 2 tags, 'object' and 'embed' and > specifies with allowed attributes 'height' and 'width' for object and > 'allowfullscreen', 'src', and 'type'. These seem to be sufficient to > allow one to go to YouTube, Vimeo, or MetaCafe, click the embed > button, copy the html, paste it into the CKEditor instance in my > application, and allow the video to play when my application renders > the user's content. > > So, for example, if the input a user submits contains video embedding > code like this: > > <object width="400" height="225"><param name="allowfullscreen" > value="true" /><param name="allowscriptaccess" value="always" /><param > name="movie" value="http://vimeo.com/moogaloop.swf? > clip_id=12475071&server=vimeo.com&show_title=1&show_byline=1&show_portrait=0&color=&fullscreen=1" > /><embed src="http://vimeo.com/moogaloop.swf? > > clip_id=12475071&server=vimeo.com&show_title=1&show_byline=1&show_portrait=0&color=&fullscreen=1" > type="application/x-shockwave-flash" allowfullscreen="true" > allowscriptaccess="always" width="400" height="225"></embed></object> > > then myXML() will turn it into > > <object height="225" > width="400"><param><param><param><embed > allowfullscreen="true" src="http://vimeo.com/moogaloop.swf? > clip_id=12475071&server=vimeo.com&show_title=1&show_byline=1&show_portrait=0&color=&fullscreen=1" > type="application/x-shockwave-flash"></embed></object> > > Notice that the <param> tags are escaped and their attributes are > removed. Also notice that the "allowscriptaccess" tag has been > removed from the <embed> tag. Surprisingly, removing this stuff > doesn't seem to affect the display and playback of the video. > > So what I'm trying to find out is whether this level of escaping is > sufficient to prevent anything harmful from being served by my > application or, if not, what additional validation and filtering is > needed. > > You asked about my upload form. Basically it looks like this: > > fields = [Field("edited", 'string', default=itemtext, > requires=IS_NOT_EMPTY(), > widget=ckeditor_basic, > formstyleitem=None, > ) > ] > form = SQLFORM.factory(*fields) > if form.accepts(request.vars, session): > session.flash = 'Edit accepted.' > #import pdb; pdb.set_trace() > update(form.vars.edited) > > ... etc .. > > elif form.errors: > response.flash = 'Form has errors!' > else: > response.flash = 'Fill out the form' > return dict(form=form) > > The ckeditor_basic widget is a wrapper that replaces a textarea with a > CKEditor instance. So what the user get is the ability to compose > content with a limited set of markup including links, images, and > embedded video. Note that there is no support for uploading the > actual image or video files. When the user submits the content, my > application stores it verbatim to be served later after passing it > through the myXML() function. > > Thanks, > Mike > > On Jul 1, 2:40 pm, GoldenTiger <[email protected]> wrote: > > > I don't know how XML function works, let me see your upload form code > > and any html output of myXML > > > On 1 jul, 18:32, MikeEllis <[email protected]> wrote: > > > > I'm developing an app that needs to allow users to create and view > > > content that includes links, images, and embedded video, e.g. from > > > YouTube. The following wrapper for the XML function seems the minimum > > > set that will do the job, but I'm concerned about XSS attacks. > > > > def myXML(text): > > > return XML(text, sanitize=True, > > > permitted_tags=['a', 'b', 'blockquote', 'br/', 'i', 'li', > > > 'ol', 'ul', 'p', 'cite', 'code', 'pre', > > > 'img/','object','embed'], > > > allowed_attributes={'a':['href', 'title'], > > > 'img':['src', 'alt'], 'blockquote':['type'], > > > 'object':['height','width'], > > > 'embed':['allowfullscreen','src','type'], > > > }) > > > > Any suggestions from the security experts in the community? > > > > Thanks, > > > Mike
