Neiki's Editor Wiki

Lightweight WYSIWYG Rich Text Editor

Brought to you by: neikiri

Security

Authors:

🔒 Security

Sanitization, XSS protection, and security best practices for Neiki's Editor.

⚠️ Why Sanitization Matters

Neiki's Editor is a rich text editor — users can paste content from any source, including web pages, documents, and potentially malicious sites. Without proper sanitization:

XSS (Cross-Site Scripting) — injected <script> tags can steal cookies, hijack sessions, or deface pages
Event handler injection — onclick="maliciousCode()" on any element
Protocol injection — href="javascript:..." in links

Always sanitize HTML on the server before saving to a database or rendering to other users.

🛡️ Built-in Client-Side Sanitization

Neiki's Editor sanitizes all HTML that enters the editor — from autosave restoration, textarea content, setContent(), and insertHTML(). The built-in sanitizer:

Strips dangerous tags: <script>, <iframe>, <object>, <embed>, <form>, etc.
Removes event handler attributes: onclick, onerror, onload, onmouseover, etc.
Removes javascript: and data: protocol URLs in href and src attributes
Uses a safe entity-decoding approach (regex-based, not innerHTML-based) to prevent entity-encoding bypass attacks

[!IMPORTANT]
Client-side sanitization is a defense-in-depth measure. It does not replace server-side sanitization. Always validate and sanitize on the server.

🐘 Server-Side Sanitization — PHP Helper

The included PHP helper provides a sanitize() method:

require_once 'path/to/php/neiki-editor.php';

// Sanitize before saving to database
$cleanHTML = NeikiEditor::sanitize($_POST['content']);

$stmt = $pdo->prepare('UPDATE articles SET body = ? WHERE id = ?');
$stmt->execute([$cleanHTML, $articleId]);

The PHP sanitizer strips:

Dangerous tags (<script>, <iframe>, <object>, <embed>, <form>, <input>, etc.)
Event handler attributes (onclick, onerror, onload, onfocus, onblur, etc.)
javascript: and data:text/html protocol URLs

✅ Safe Tags Allowlist

The built-in sanitizer allows these HTML elements (content generated by the editor):

Category	Tags
Structure	`p`, `div`, `span`, `br`, `hr`
Headings	`h1`, `h2`, `h3`, `h4`, `h5`, `h6`
Formatting	`strong`, `b`, `em`, `i`, `u`, `s`, `sub`, `sup`, `mark`, `code`, `pre`
Lists	`ul`, `ol`, `li`
Links	`a` (with `href`, `target`, `rel`)
Media	`img` (with `src`, `alt`, `width`, `height`), `video`, `source`
Tables	`table`, `thead`, `tbody`, `tr`, `td`, `th` (with `colspan`, `rowspan`)
Quotes	`blockquote`

[!NOTE]
For production use with strict requirements, consider using a dedicated server-side HTML sanitization library such as HTML Purifier (PHP), DOMPurify (JS), or Bleach (Python).

🔐 Content Security Policy (CSP)

If your application uses a Content Security Policy, ensure the following are allowed for the editor to function:

Content-Security-Policy:
    script-src 'self' https://cdn.neikiri.dev https://cdn.jsdelivr.net;
    style-src 'self' 'unsafe-inline' https://cdn.neikiri.dev;
    img-src 'self' data: blob: *;

[!CAUTION]
'unsafe-inline' for style-src is required because the editor applies inline styles for font sizes, colors, and image dimensions. If your CSP disallows this, some formatting features will not work.

🔑 Autosave Security

Autosave stores content in localStorage. Be aware:

Content in localStorage is not encrypted
It is accessible to any JavaScript on the same origin
For sensitive content, disable autosave and use server-side saving instead

:::javascript
new NeikiEditor('#editor', {
// Don't use autosave for sensitive forms
// Use onSave/onChange to send to your encrypted backend
onSave: async function(content) {
await fetch('/api/save', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'X-CSRF-Token': getCsrfToken()
},
body: JSON.stringify({ content })
});
}
});

🛡️ XSS Prevention Changelog

Notable security fixes in Neiki's Editor:

Version	Fix
3.0.3	Fixed polynomial regex risk in HTML code view — replaced with deterministic linear scan
2.10.1	Fixed XSS vulnerability in sanitizer's entity decoding — replaced `innerHTML`-based decoding with safe regex approach
2.9.3	Hardened autosave HTML sanitization; fixed unsafe modal value interpolation for link/image dialogs; guarded against prototype pollution (`__proto__`, `constructor`)
2.9.4	Reworked autosave storage key normalization to avoid polynomial regex on uncontrolled input; updated HTML sanitization parsing to avoid `DOMParser.parseFromString`

📋 Security Checklist


✅	Server-side sanitization before saving to database
✅	CSRF tokens on all form submissions
✅	`imageUploadHandler` validates file types server-side
✅	Content retrieved via `getContent()` sanitized before display to other users
✅	Autosave disabled for sensitive content
✅	CSP headers configured appropriately
✅	Using latest editor version (check Changelog)


🔗 Integration Guide	PHP sanitization helper usage
🧩 Advanced Features	Autosave configuration
📋 Changelog	Security fix history

_{← Back to Home}

Wiki: Changelog