Stored Cross-site Scripting (XSS) in page creation about sulu-standard HOT 6 CLOSED

Thanks for the report :) but we explicitly allow all the HTML tags and attributes in the editor. You can decide if you want to render the content in raw (twig filter). We do this because we don't see the big problem here because the content-manager (logged in system user) should be "competent" enough to avoid it if he doesn't want it.

But we are planning in a future release to make this behavior configurable - there are no concrete plans currently.

/cc @chirimoya @danrot please add your thoughts about this topic

from sulu-standard.

I also think that this is the job of the template developer. Especially because I have already seen textareas being used to copy small javascript snippets (e.g. Youtube embed codes).

from sulu-standard.

I've been running into issues because the code is not only rendered unsanitized on the webpage/preview, but also in the block preview in the actual edit page.
It's quite disturbing when you want to paste one of the new (?) responsive vimeo.com embed codes which load a js file which seems to break sulus backend js up to the point that you aren't able to save the page anymore...
But then, I'm on 1.4, maybe 1.6 has got a different behaviour?

from sulu-standard.

@floatingbits only the ckeditor run JS codes but there it is run inside an iframe and should not crash any backend components. and for embed codes its recommend use textareas and not texteditors. So update to 1.6 should fix it for textareas.

from sulu-standard.

Hmmm. I do use a textarea. The html is output without any sanitizing to the block preview.
The code that breaks the whole edit page is a simple vimeo embed code featuring a script tag:

<div style="padding:56.25% 0 0 0;position:relative;"><iframe src="https://player.vimeo.com/video/267254114?title=0&byline=0&portrait=0" style="position:absolute;top:0;left:0;width:100%;height:100%;" frameborder="0" webkitallowfullscreen mozallowfullscreen allowfullscreen></iframe></div><script src="https://player.vimeo.com/api/player.js"></script>

My blocks (without the breaking script tag) look like this:

EDIT: Ahh, ok. The update to 1.6 should fix it :-)

from sulu-standard.

for @prodigysml if you don't want to output something on the website you maybe need to create a custom twig extension using something like http://htmlpurifier.org.

@floatingbits thats good.

I will know close the issue as it seems to be fixed, else feel free to reopen it or add a comment.

from sulu-standard.