CKeditor CKfinder 安全配置记录
时常会用到编辑器,CK的安全漏洞还是需要及时补上的,当然首先要把所有的不必要文件全部删除,比如html,txt,php等等。
一、CKeditor 过滤不安全的HTML标签
//编码
public static string EncodeStr(string str)
{
//将输入字符串编码,策略:" 默认禁止,显式允许”
str = Regex.Replace(str, @"<html[^>]*?>.*?</html>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<html[^>]*?/>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<body[^>]*?>.*?</body>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<body[^>]*?/>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<meta[^>]*?>.*?</meta>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<meta[^>]*?/>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<frame[^>]*?>.*?</frame>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<frame[^>]*?/>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<frameset[^>]*?>.*?</frameset>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<frameset[^>]*?/>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<iframe[^>]*?>.*?</iframe>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<iframe[^>]*?/>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<layer[^>]*?>.*?</layer>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<layer[^>]*?/>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<ilayer[^>]*?>.*?</ilayer>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<ilayer[^>]*?/>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<applet[^>]*?>.*?</applet>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<applet[^>]*?/>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<script[^>]*?>.*?</script>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<script[^>]*?/>", "",
RegexOptions.IgnoreCase);
//flash
str = Regex.Replace(str, @"<embed[^>]*?>.*?</embed>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<embed[^>]*?/>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<object[^>]*?>.*?</object>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<object[^>]*?/>", "",
RegexOptions.IgnoreCase);
//link style
str = Regex.Replace(str, @"<link[^>]*?>.*?</link>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<link[^>]*?/>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<style[^>]*?>.*?</style>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<style[^>]*?/>", "",
RegexOptions.IgnoreCase);
//img
str = Regex.Replace(str, @"<img[^>]*?>.*?</img>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<img[^>]*?/>", "",
RegexOptions.IgnoreCase);
//hyperLink
str = Regex.Replace(str, @"<a[^>]*?>.*?</a>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<a[^>]*?/>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<form[^>]*?>.*?</form>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<form[^>]*?/>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<input[^>]*?>.*?</input>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<input[^>]*?/>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<textarea[^>]*?>.*?</textarea>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<textarea[^>]*?/>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<select[^>]*?>.*?</select>", "",
RegexOptions.IgnoreCase);
str = Regex.Replace(str, @"<select[^>]*?/>", "",
RegexOptions.IgnoreCase);
return HttpUtility.HtmlEncode(str);
}
//解码
public static string DecodeStr(string encodeStr)
{
return HttpUtility.HtmlDecode(encodeStr);
}
二、CKfinder 上传权限
在config.ascx文件判断上传权限
public override bool CheckAuthentication()
{
//判断权限相关代码
return true;
}
三、上传文件自动重命名
需要修改CKfinder源码
1.打开/Settings/ConfigFile.cs文件,添加一个属性:public bool RandomReName;
2.打开/Connector/Config.cs文件,添加一个属性:
public bool RandomReName
{
get { return Settings.ConfigFile.Current.RandomReName; }
}
3.打开/Connector/CommandHandlers/FileUploadCommandHandler.cs文件
在获取文件后缀名后面,增加修改文件名的代码
string sExtension = System.IO.Path.GetExtension(sFileName);
sExtension = sExtension.TrimStart('.');
if (Config.Current.RandomReName)
{
sFileName = Guid.NewGuid() + "." + sExtension;
}
这里使用了GUID作为新的上传文件名,重新编译DLL供项目引用
四、上传文件大小限制
要在config.ascx里加上限制 type.MaxSize = 307200;
这个参数容易引起误会,并不是对上传前原文件的尺寸限制,而是经CKfinder 上传压缩后的尺寸限制,这里我限制了300K大小
五、上传图片对话框的功能隐藏,上传Flash以此类推
在CKeditor/plugins/image/dialogs/image.js 里修改相应的代码
1.隐藏浏览服务器按钮
查找关键字 {type:"button",id:"browse" 修改属性: style:"display:none;
2.隐藏 超链接 选项卡
查找关键字 {id:"Link", 修改属性:hidden:1
3.隐藏 高级 选项卡
查找关键字 {id:"advanced" ,增加属性:hidden:1