Page 1 of 1
Is <object in rich text editor a security risk?
Posted: Wed Aug 19, 2009 7:25 am
by jmut
Hi, I am trying to tighten security on richtext editor we got.For some crazy reason we're using tinymce but anyhow... I stripped stuff to limited tags (using htmlpurifier).
Now questions is is <object tag a secruity threat e.g flash stuff etc. And if it is any examples/proofs of issue. Thanks.
Re: Is <object in rich text editor a security risk?
Posted: Wed Aug 19, 2009 8:55 am
by jackpf
Here's something that may be of interest to you:
viewtopic.php?f=6&t=104827
Re: Is <object in rich text editor a security risk?
Posted: Wed Aug 19, 2009 9:19 am
by Mordred
Also, flash cookies, loading known vulnerable plugins and exploiting them, logging of user IPs. That's what I can think of offhand.
Re: Is <object in rich text editor a security risk?
Posted: Wed Aug 19, 2009 10:15 am
by jmut
Got the picture. get rid of flash set by users

Thanks
Re: Is <object in rich text editor a security risk?
Posted: Wed Aug 19, 2009 10:27 am
by Mordred
It's not just flash, all types of embedded content (i.e. plugins) is potentially dangerous.
Also, don't forget the <embed tag.