The text editor in DNN may exploit a security risk.
If the editor is placed on a page, say for a registered user updating their profile's bio, the Image Manager, Document Manager, etc. gives the user access to the portal root, where they can delete, upload, rename images, docs, etc. along with looking at the directory structure. They could easily, through the Doc Manager, add a link in their bio to a restricted document and, once the bio is saved, click on the link to download the file.
The managers need to be disabled or localized to the logged in user's directory (/Portals/PortalId/Users/UserId/UserId).
Thanks,
Joshua
If the editor is placed on a page, say for a registered user updating their profile's bio, the Image Manager, Document Manager, etc. gives the user access to the portal root, where they can delete, upload, rename images, docs, etc. along with looking at the directory structure. They could easily, through the Doc Manager, add a link in their bio to a restricted document and, once the bio is saved, click on the link to download the file.
The managers need to be disabled or localized to the logged in user's directory (/Portals/PortalId/Users/UserId/UserId).
Thanks,
Joshua
1 Answer, 1 is accepted
0
Hi Joshua,
Please, note that version 5.4 of DNN uses the Professional provider of RadEditor, which is implementation of the DNN developers and it is not supported by Telerik.
Our suggestion is to post your question in the DNN forums at http://www.dotnetnuke.com/tabid/795/default.aspx and ask the support of DNN for help. This article could be also helpful : Taming (customizing) The new Telerik RadEditor.
Kind regards,
Dobromir
the Telerik team
Please, note that version 5.4 of DNN uses the Professional provider of RadEditor, which is implementation of the DNN developers and it is not supported by Telerik.
Our suggestion is to post your question in the DNN forums at http://www.dotnetnuke.com/tabid/795/default.aspx and ask the support of DNN for help. This article could be also helpful : Taming (customizing) The new Telerik RadEditor.
Kind regards,
Dobromir
the Telerik team
Do you want to have your say when we set our development plans?
Do you want to know when a feature you care about is added or when a bug fixed?
Explore the
Telerik Public Issue Tracking
system and vote to affect the priority of the items