Hello people,
I need suggestion on use of RTE as Component and in a Content Fragment.
It will generate component JSON with HTML tags. Is it XSS attack proof to use for authoring purpose?
Please provide your views on it.
Thanks.
cc: @aanchal-sikka @Harwinder-singh @EstebanBustamante @arunpatidar @Tanika02 @Sady_Rifat
Solved! Go to Solution.
Views
Replies
Total Likes
My Opinion - Not Adobe's
Yes, using Multiline Rich Text Content Fragment Model data type can pose a security concern if not handled properly. While it allows for authoring formatted content, it can also introduce the risk of XSS attacks if malicious scripts or HTML tags are injected into the content.
Maybe worth checking this via the Support channel to have the Engineering team look at it.
XSS protection is to not save some attribute which can cause XSS, JSON I think you can use, you can try to add those values and whitelist the tags/attribute which you want
When using RTE to generate component JSON with HTML tags, it's crucial to implement proper sanitization and validation measures to prevent XSS vulnerabilities. RTEs allow users to input and format text, which can potentially introduce malicious scripts into the generated HTML.
Thank @kautuk_sahni Yeah I understood this.
My next doubt would be, we need to use Multiline Rich Text Content Fragment Model data type as to author formatted content like bold text, bullet points etc. with OOTB data type, and it will be expose via model exporter to Frontend to consume. Will it be a security concern?
My Opinion - Not Adobe's
Yes, using Multiline Rich Text Content Fragment Model data type can pose a security concern if not handled properly. While it allows for authoring formatted content, it can also introduce the risk of XSS attacks if malicious scripts or HTML tags are injected into the content.
Maybe worth checking this via the Support channel to have the Engineering team look at it.
Thanks @kautuk_sahni Got it.