Security

We are taking Redactor’s security very seriously (sometimes even too seriously though). It is a tricky task now for those who want to inject malicious code using Redactor’s window. However, JavaScript and its environment does not allow us to cover you against 100% of attacks. That’s we strongly recommend you to perform a server-side clean-up of a code that you receive from Redactor.

You can perform such clean-up using any server-side programming language. Here’re some basic examples on PHP.

First off, send text from Redactor via POST, using form or with AJAX. Also, check if the form contents came from your site. You can do it by checking REFERER like this:

function is_referer()
{
    if (!isset($_SERVER['HTTP_REFERER'])) return false;

    $url = parse_url($_SERVER['HTTP_REFERER']);

    if ($url['host'] == 'yoursite.com') return true;
    else return false;
}

Clean the tags that are not allowed in Redactor. Here’s how:

function clear_tags($str)
{
    return strip_tags($str, '<code><span><div><label><a><br><p><b><i>
    <del><strike><u><img><video><audio><iframe><object><embed><param>
    <blockquote><mark><cite><small><ul><ol><li><hr><dl><dt><dd><sup>
    <sub><big><pre><code><figure><figcaption><strong><em>
    <table><tr><td><th><tbody><thead><tfoot>
    <h1><h2><h3><h4><h5><h6>');
}

And clean attributes of tags with html-clean libraries (in PHP is to use a library like htmLawed or htmlpurifier).

When a user uploads a picture, perform a check if it actually is a picture:

function is_image($image_path)
{
    if (!$f = fopen($image_path, 'rb'))
    {
        return false;
    }

    $data = fread($f, 8);
    fclose($f);

    // signature checking
    $unpacked = unpack("H12", $data);
    if (array_pop($unpacked) == '474946383961'
    || array_pop($unpacked) == '474946383761') return "gif";

    $unpacked = unpack("H4", $data);
    if (array_pop($unpacked) == 'ffd8') return "jpg";
    $unpacked = unpack("H16", $data);
    if (array_pop($unpacked) == '89504e470d0a1a0a') return "png";

    return false;
}