I was wondering what the right approach should be to prevent XSS attacks from stored fields, and especially Kirbytext. It’s clear to me, that only users with an account can change the content, but there might be an angle where an attacker might be able to change files directly on a server or FTP host.
While I can use
html() on most other fields, this makes no sense for Kirbytext, as the HTML output would be escaped. I also didn’t find much in the docs about this, so
- What fields should usually be escaped? Which fields already escape content (in my test the URL field for example didn’t allow “simple” XSS attacks)
- What would be the right approach to prevent XSS in Kirbytext fields?
- Is escaping even necessary, if input is only allowed from users with an account?
- the first step would be to validate input. Kirby has a lot of built-in validators you can use. You can also use regex and create your own validators. That way you can prevent unwanted input in the first place.
- you can - and maybe should - escape all field content, you can also do this with kirbytext, if you call
esc() before calling kirbytext:
- you should definitely secure your server and not allow simple FTP or weak passwords
- placing all important folders outside the web root adds another level of security (usually not possible on shared hosting, though.
- regular backups are always a must, version control helps as well and is easy with a file based CMS where you don’t have to deal with a database
See also: https://getkirby.com/docs/guide/security
Great, thanks so much. Just a few follow up questions:
- Do I still have to escape fields with validator functions, like the URL field?
- How would you validate a normal text field, like a title field?
- If I use
escape() on all input fields, I don’t have to validate those fields in the panel anymore, right?
Not from a security point of view, but if you want to make sure you get the content you want, validation makes sense. After all, escaped script tags don’t look great on the frontend.
You could use regex validation, for example to make sure that editors do not enter any script tags.
Note that you might not want to escape all content in textarea fields or prevent tags in general through validation. There may be cases where you want to allow HTML tags or even script tags.
Users with Panel access can in general do more harm than adding scripts in text files. Depending on their rights, they can just delete anything or write content that hurts the company, so why should they bother with XSS attacks?
The bigger problem are certainly people who get access to the Panel or your server without having legitimate rights to be there.
See also this post: Safety aspects of kirby (compared to...) - #3 by bastianallgeier