0

I am using FCKEditor in my Ruby on Rails Application. Users add blog posts using FCKEditor.

Then I display blog posts using

@blog.body.html_safe

I know FCKEditor is escaping any javascript code but what if a user posted a request with direct parameters and setting blog post body including some javascripts. This may be security Vulnerability.

Any idea how can I used FCKEditor with Rails safe?

Mahmoud Khaled
  • 6,226
  • 6
  • 37
  • 42
  • 3
    html_safe should be escaping javascript already, regardless of what FCKEditor is doing? Could you provide more details of what you see as a potential exploit? – Joe Pym Mar 29 '12 at 13:50
  • 1
    Joe is right, you really aren't relying on FCKEditor to do the security, html_safe is what does that. Additionally, FCKEditor is out of date, you should seriously consider moving to CKEditor (New version of FCKEditor, they changed the name for obvious reasons). – Ben Miller Mar 29 '12 at 14:12
  • No Joe, html_safe doesn't escape javascript. – Mahmoud Khaled Apr 01 '12 at 13:16

1 Answers1

0

We can use white list HTML sanitizer to escape all tags except some formatting tags.

Sanitize

Mahmoud Khaled
  • 6,226
  • 6
  • 37
  • 42