Security

We are taking security of Redactor very seriously. However, due to the fact that the editor is written in Javascript, this does not allow protecting against all attacks and vulnerabilities by 100%. No matter how we build the code cleaned using editor tools, an attacker can use Browser Inspector or other tools to inject vulnerabilities into editable content.

That’s we strongly recommend you to perform a server-side clean-up of a code that you receive from Redactor.

Here are some of the checks that you need to do with the server-side:

• remove all tags that are undesirable in your content;
• remove all tag attributes that are undesirable in your content, especially for images and embed code;
• check that the POST request with the data sent has a referrer which you are expecting it;
• set up CSRF token when uploading images to the server;
• check the image file, that this is an image, and not a file with malicious code disguised as it.

Send CSRF token with autosave or upload request #

Here is an example of how to send CSFR token with autosave or upload request.

Redactor('#entry', {
    subscribe: {
        'autosave.before.send': function(event) {
            let xhr = event.get('xhr');
            xhr.setRequestHeader('X-CSRF-Token', 'your-token-value');
        },
        'upload.before.send': function(event) {
            let xhr = event.get('xhr');
            xhr.setRequestHeader('X-CSRF-Token', 'your-token-value');
        }
    }
});

See more how to use Events.