Suggestion on RTE | Community
Skip to main content
iamnjain
Community Advisor
iamnjainCommunity Advisor
Community Advisor
October 18, 2023
Solved

Suggestion on RTE

  • October 18, 2023
  • 2 replies
  • 895 views

Hello people,

 

I need suggestion on use of RTE as Component and in a Content Fragment.

It will generate component JSON with HTML tags. Is it XSS attack proof to use for authoring purpose?

Please provide your views on it.

 

Thanks.

cc: @aanchal-sikka @harwinder-singh @estebanbustamante @arunpatidar @tanika02 @sady_rifat 

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by kautuk_sahni

My Opinion - Not Adobe's

Yes, using Multiline Rich Text Content Fragment Model data type can pose a security concern if not handled properly. While it allows for authoring formatted content, it can also introduce the risk of XSS attacks if malicious scripts or HTML tags are injected into the content.

 

Maybe worth checking this via the Support channel to have the Engineering team look at it. 

2 replies

arunpatidar
Community Advisor
arunpatidarCommunity Advisor
Community Advisor
October 18, 2023

XSS protection is to not save some attribute which can cause XSS, JSON I think you can use, you can try to add those values and whitelist the tags/attribute which you want

Arun Patidar
    kautuk_sahni
    Community Manager
    kautuk_sahniCommunity Manager
    Community Manager
    October 19, 2023

    When using RTE to generate component JSON with HTML tags, it's crucial to implement proper sanitization and validation measures to prevent XSS vulnerabilities. RTEs allow users to input and format text, which can potentially introduce malicious scripts into the generated HTML.

     

    Kautuk Sahni
      iamnjain
      Community Advisor
      iamnjainCommunity AdvisorAuthor
      Community Advisor
      October 19, 2023

      Thank @kautuk_sahni Yeah I understood this.

      My next doubt would be, we need to use Multiline Rich Text Content Fragment Model data type as to author formatted content like bold text, bullet points etc. with OOTB data type, and it will be expose via model exporter to Frontend to consume. Will it be a security concern?

        kautuk_sahni
        Community Manager
        kautuk_sahniCommunity ManagerAccepted solution
        Community Manager
        October 19, 2023

        My Opinion - Not Adobe's

        Yes, using Multiline Rich Text Content Fragment Model data type can pose a security concern if not handled properly. While it allows for authoring formatted content, it can also introduce the risk of XSS attacks if malicious scripts or HTML tags are injected into the content.

         

        Maybe worth checking this via the Support channel to have the Engineering team look at it. 

        Kautuk Sahni
          Terms & ConditionsAccessibility statement

          Loading footer...