We are taking security of Redactor very seriously. However, due to the fact that the editor is written in Javascript, this does not allow protecting against all attacks and vulnerabilities by 100%. No matter how we build the code cleaned using editor tools, an attacker can use Browser Inspector or other tools to inject vulnerabilities into editable content.
That’s we strongly recommend you to perform a server-side clean-up of a code that you receive from Redactor.
Here are some of the checks that you need to do with the server-side:
Here is an example of how to send CSFR token with autosave or upload request.
Redactor('#entry', {
subscribe: {
'autosave.before.send': function(event) {
let xhr = event.get('xhr');
xhr.setRequestHeader('X-CSRF-Token', 'your-token-value');
},
'upload.before.send': function(event) {
let xhr = event.get('xhr');
xhr.setRequestHeader('X-CSRF-Token', 'your-token-value');
}
}
});
See more how to use Events.