Search code examples
ckeditor4.x

Sanitize HTML data received from CKEditor getData() method [ckeditor]


I want to get sanitized data from CKEditor when I use CKEDITOR.instances['textareaId'].getData(); function.

I have noticed CKEditor internally sanitized the input provided in the 'Source' part.

Example

  • If the input is <p onclick="alert('document.cookie')">Some Text</p> it gets converted to <p>Some Text</p>.
  • But when I try to retrive the data using CKEDITOR.instances['textareaId'].getData(); it returns <p onclick="alert('document.cookie')">Some Text</p>.

Is there any way where CKEditor sanitize the data when getData() function is called?


Solution

  • From CKEditor point of view don't disable Advanced Content Filter (ACF) - don't use config.allowedContent = true;. That way unwanted HTML attribute will be removed.

    Please note however that JavaScript, no matter how good, can always be disabled so ACF by no means can be treated as a security filter. If you wish to sanitize your HTML, please use server-side library for that and not JavaScript. Sanitizing user input with your server-side application code is the only correct way to do it.