Quill: How to prevent XSS attacks

Created on 16 Jan 2018  Â·  6Comments  Â·  Source: quilljs/quill

How to prevent XSS attacks,like this:

<img src="http://www.erorerer.com/a.jpg" onerror="alert(1)" />

<script>alert(1)</script>

picture ReAlign
👍2

Most helpful comment

@tuomassalo It's really _possible_ sanitaze stuff on the client before rendering.

picture Gladskih on 15 Jul 2019
👍11 👎4

All 6 comments

It's already prevented by clipboard module by default. Do you have any specific case or codePen example? You can't paste it to quill without sanitation and it won't be stored at delta anyway.

DmitrySkripkin picture DmitrySkripkin on 16 Jan 2018

I'd like to amend @DmitrySkripkin's comment, since it can be confusing and even dangerous for inexperienced developers.

Client-side modules can never prevent XSS attacks, even in theory. A malicious user can craft a http request that sends an XSS payload to the server, bypassing any client-side sanitation.

The correct way to prevent XSS attacks with rich-text editors is to enforce a whitelist of sanitation rules on the server, before storing the content. See #510 and eg. https://github.com/punkave/sanitize-html.

tuomassalo picture tuomassalo on 7 Mar 2018
👍7

I just started using quill recently. Here is the workflow for my user content:

  • A user submits quill edited text as a string of HTML.
  • Server stores HTML as string/bytes.
  • Other users can view the submitted text; this is done by setting the innerHTML of a div element.

I realize this leaves a vulnerability if a malicious user reverses engineers my API and submit dangers HTML. The service I'm building is only for in-house use so a malicious user should not be able to log-in, but I would like to do this correctly.

The easiest solution I can think of is to have quill sanitize the HTML string before including it in the page. Such that the allowed content matches quill formats. But I have not found any documentation to accomplish this.

xiegeo picture xiegeo on 24 May 2019
👍3

@xiegeo It is impossible to sanitize stuff on the client, since you have no control over the client. A malicious user can modify the client to send whatever payload to the server. You must sanitize the user input on the server.

The issue I referenced above (https://github.com/quilljs/quill/issues/510) has been deleted. Can @DmitrySkripkin or @jhchen shed some light on why?

tuomassalo picture tuomassalo on 27 May 2019

@tuomassalo I don't need to protect what gets on the server, only what is displayed by well behaving clients.

xiegeo picture xiegeo on 27 May 2019
👍1

@tuomassalo It's really _possible_ sanitaze stuff on the client before rendering.

Gladskih picture Gladskih on 15 Jul 2019
👍11 👎4
Was this page helpful?
0 / 5 - 0 ratings

Related issues

GildedHonour picture GildedHonour  Â·  3Comments
Kivylius picture Kivylius  Â·  3Comments
markstewie picture markstewie  Â·  3Comments
emanuelbsilva picture emanuelbsilva  Â·  3Comments
eamodio picture eamodio  Â·  3Comments