Many WYSIWYG online editors proved to be vulnerable to cross-site scripting (XSS) attacks.
With many sites allowing you to make forum posts, publish blog entries, post private messages, update wiki entries, submit support tickets, create signatures or leave comments, many websites could be vulnerable.
Some of the websites examined by security researcher Ashar Javed relied upon third-party editor libraries and could potentially be being used on millions of other websites. All it would take was for one such editor library to have a vulnerability and attackers could have full access.
One of the problems that Javed identified was that the developers of WYSIWYG editors think it is the responsibility of those developing the website or back-end server-side systems to perform the sanitisation. Meanwhile, time-strapped website developers who pull a WYSIWG editor off the shelf and plug it into their site are imagining that all the hard work has been done for them. He recommended developing an “Unbreakable sanitizer/filter” that does the job of making sure content entered into WYSIWYG editors is safe – and cannot be used to exploit an XSS vulnerability.
VIEW FULL STORY