XSS on the default html-editor

Topics: Administration, Customizing Orchard, General, Troubleshooting
Aug 9, 2011 at 12:53 PM
Edited Aug 9, 2011 at 12:54 PM

I tried the default HTML editor and managed to inject some scripts on the body of a page, and the script runs on the rendered display.

So, how to prevent editors to do so? also how to disable some tags in the editor, like <iframe>?

Aug 9, 2011 at 7:51 PM

Having the default editor allow any HTML is something that is allowed on purpose since in most cases a person using the editor is probably trusted enough to not do something bad.

In cases where you want to limit what content/markup can be saved (e.g. comments, forum posts, etc.) you could begin by having the editor be more restrictive on what it allows but that's only a convience measure and shouldn't be entirely relied upon to limit what is saved - you would need something on the server (filter or content handler) to be the authority on what content is allowed.

To answer the specific question about preventing certain tags at the editor level you could either midify the scripts/orchard-tinymce.js file directly to reconfigure TinyMCE or create a new module, have it depend on the TinyMCE module and copy the view and orchard-tinymce.js files into the new module as a starting point for a new "flavor" of editor.

Aug 10, 2011 at 8:16 AM

Thanks skewed for the great reply.

So, how to make a module depends on another? is it like theme-parent thing? or just copy all the module to a new one then modify?

And what are the available flavors? is there any interface/service to call to add a custom one? what then the need to HTML-Agility-Pack?

Aug 10, 2011 at 7:58 PM

You should declare your feature dependencies in module.txt, and also make references from the csproj file.

Aug 11, 2011 at 12:11 PM

Still, What are the available flavors? is there any interface/service to call to add a custom one? what then the need to HTML-Agility-Pack in the lib?

Aug 11, 2011 at 6:10 PM

If you go to Content Types, and look for the BodyPart of a specific type, you will find some settings under that part, named Flavor, with "html" as a default value. What happens is that the Body part will search for a view named Body-FLAVOR.Editor in any module. It actually finds one in TinyMce/Views. If you want to create another flavor, just create a file like the one in TinyMce, and give it another name. Or if you want to create your own html flavor, just disable TinyMce and enable your own module.

You could for instance create a MarkDown flavor, which I would like a lot personaly.

Aug 13, 2011 at 9:28 AM

Thanks Sebastien, I was hooping to see some settings in the dashboard to set some tags to not be allowed, also not allow any script tags/attributes in any editor.

Aug 13, 2011 at 4:30 PM

I am sure it could be an extension to the TinyMCe module. It would make perfectly sense. If you want to contribute this is a good occasion !

Aug 14, 2011 at 8:03 AM

I will, trust me. But first I'll finish some more important modules I'm working on.