I want to save my application from attack so I wanted to disable any type of execution in my CKEditor config, so I found a solution that is allowContent: false which prevents the <scripts> tags inside CKEditor but after putting <p><a href="javascript:(alert(document.domain))">XSS</a></p> in the CKEditor so it executes the js inside href.
config
config = {
...,
allowContent: false
}
now the below script doesn't work after putting the above config:
<script>alert(1)</script>
I also wanted to prevent below js inside href but currently, it executing
<p><a href="javascript:(alert(document.domain))">XSS</a></p>
You have to sanitize the data inputed to the CKEditor. The config.htmlEmbed.sanitizeHtml of CKEditor option allows plugging an external sanitizer.
In my opinion, the best sanitizer available for now is DOMPurify library.
Here is more info on including DOMPurify in CKEditor: more info.
In my opinion, it is very hard to secure CKEditor "by yourself", so better use sanitizer. There was some security issues in this software, an interesting example described here: CKEditor XSS