May posting of images through a rich text editor be vulnerable to XSS attacks?

1
votes

I'm using a rich text editor - CKEditor to allow users to input formatted text that renders HTML/CSS.

To prevent XSS attacks by untrusted users, I'm using the Jsoup Java library which filters/whiltelists necessary tags and/or attributes of the user input something like, for example, an anchor tag like,

<a href='http://example.com/' onclick='executeMaliciousTask();'>Click Here</a>

is turned into 

<a href="http://example.com/" rel="nofollow">Click Here</a>

The link generated by Jsoup seems to be safe against XSS attacks.

I need to allow users to input images through the editor. For this to be so, I'm using using the following method of Jsoup.

org.jsoup.Jsoup.clean(editorContents, org.jsoup.safety.Whitelist.basicWithImages();

May allowing users to post images in this way be vulnerable to XSS attacks in any way?

1
ckeditorjsoupxsswysiwygckfinder

1 Answers

1
votes

The risk is not in the clean HTML generated, but in the server that provides the image. My main concern would be CSRFs. But there could be other issues (like an malicious images causing a buffer overrun, or changing the response content-type and fooling the browser into executing script, or setting tracking cookies, etc).

My suggestion would be not to allow images to be remotely hosted. Allow the user to include an img, but fetch the image, validate / normalize it, and serve it from your own host.