DEV Community

Cover image for Risky Click Text Editor Edition
Michael Buckbee
Michael Buckbee

Posted on • Edited on

Risky Click Text Editor Edition

🔍 Is this risky? Most devs are great at knowing what parts of their apps are easier or harder to implement but don’t have a great sense of which are more or less of a security risk.

Image description

✏️ Embedded document editing is surprisingly risky. A good example is the UEditor JS, which was shipped with multiple Java and .NET CMS projects, had over 6k stars on GitHub, and had a vulnerability that allowed for unrestricted file uploads to the server.

Image description

🛡️Web Application Firewalls are great at helping with issues like this via “virtual patching.”

  • There’s no actual underlying code fix for this
  • There’s a clear exploit pattern
  • You add a firewall rule like “Block Path: /Ueditor”
  • You’re “virtually patched”

Image description

Top comments (0)