Is <object in rich text editor a security risk?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
jmut
Forum Regular
Posts: 945
Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:

Is <object in rich text editor a security risk?

Post by jmut »

Hi, I am trying to tighten security on richtext editor we got.For some crazy reason we're using tinymce but anyhow... I stripped stuff to limited tags (using htmlpurifier).

Now questions is is <object tag a secruity threat e.g flash stuff etc. And if it is any examples/proofs of issue. Thanks.
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: Is <object in rich text editor a security risk?

Post by jackpf »

Here's something that may be of interest to you:
viewtopic.php?f=6&t=104827
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Is <object in rich text editor a security risk?

Post by Mordred »

Also, flash cookies, loading known vulnerable plugins and exploiting them, logging of user IPs. That's what I can think of offhand.
jmut
Forum Regular
Posts: 945
Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:

Re: Is <object in rich text editor a security risk?

Post by jmut »

Got the picture. get rid of flash set by users :) Thanks
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Is <object in rich text editor a security risk?

Post by Mordred »

It's not just flash, all types of embedded content (i.e. plugins) is potentially dangerous.
Also, don't forget the <embed tag.
Post Reply