Documentation

Security

We are taking security of Article Editor very seriously. However, due to the fact that the editor is written in Javascript, this does not allow protecting against all attacks and vulnerabilities by 100%. No matter how we build the code cleaned using editor tools, an attacker can use Browser Inspector or other tools to inject vulnerabilities into editable content.

That’s we strongly recommend you to perform a server-side clean-up of a code that you receive from Article Editor.

Here are some of the checks that you need to do with the server-side:

Send CSRF token with autosave or upload request #

Here is an example of how to send CSFR token with autosave or upload request.

ArticleEditor('#entry', {
    subscribe: {
        'autosave.before.send': function(event) {
            var xhr = event.get('xhr');
            xhr.setRequestHeader('X-CSRF-Token', 'your-token-value');
        },
        'upload.before.send': function(event) {
            var xhr = event.get('xhr');
            xhr.setRequestHeader('X-CSRF-Token', 'your-token-value');
        }
    }
});

See more how to use Events.