Adding a Warning Label to the Rich Text Editor #17658
liyun-li
started this conversation in
Features and ideas
Replies: 1 comment
-
|
I appreciate the concern around this but I do not agree that we should put any kind of warning labels into the UI to scare editors. I you're having "internal attackers" I think that they can do a lot of harm in other ways that just with the RTEs depending on how things are implemented. I would also argue that its a "case to case" concern and that the vast majority of Umbraco websites does not have any potential issues with internal hackers. IF for some reson someone would consider including this in the core I would very much vote for it to be a opt-in feature for sites where this is a concern. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Developers may think that the RTE component is secure against XSS due to the default HTML sanitization by the frontend Rich Text Editor, but in reality an internal attacker may be able to introduce unwanted JS code (XSS) by interacting with the API directly. The CMS can be extended via the
IHtmlSanitizerclass to perform HTML sanitization on the server side, and I think attaching a warning label to the RTE will be helpful for developers or site maintainers to understand the risk associated with permitting RTE contents.Beta Was this translation helpful? Give feedback.
All reactions