CKEditor Ecosystem Documentation
Search
Home/Cloud Services/Developer resources

Server-side Editor API security considerations

The Server-side Editor API includes security measures to prevent malicious code execution. All scripts are analyzed before the execution to detect and block potentially dangerous operations.

# Restricted Operations

The following categories of operations are blocked for security reasons:

Note: Regular HTTP calls using the CKEditor 5 API (like fetch() or HTTP requests through the editor’s data layer) are permitted and can be used to communicate with third-party services. The restrictions apply only to potentially dangerous browser APIs and operations.

# Global Functions and APIs

The API blocks access to potentially dangerous global functions and APIs that could be used for malicious purposes:

  • Code execution functions: eval, Function, importScripts
  • Timing functions: setTimeout, setInterval, requestAnimationFrame
  • Network and communication: XMLHttpRequest, WebSocket, Worker, SharedWorker, BroadcastChannel
  • File and data access: FileReader, indexedDB
  • Encoding/decoding: atob, btoa, decodeURIComponent
  • Storage access: localStorage, sessionStorage
  • Browser navigation: history, import
  • Performance monitoring: performance

# Browser APIs and Document Manipulation

Access to browser-specific APIs is restricted to prevent unauthorized document manipulation and browser state changes:

  • Document creation and modification: document.createElement, document.write, document.writeln, document.createElementNS
  • Document properties: document.cookie, document.body, document.head, document.location
  • Window operations: window.open, window.location, window.postMessage, window.btoa, window.atob, window.document, window.navigator, window.performance
  • URL manipulation: URL.createObjectURL
  • Browser information: navigator.sendBeacon, navigator.userAgent, navigator.platform
  • Performance data: performance.now, performance.getEntries
  • History manipulation: history.pushState, history.replaceState

# Element Operations

Direct manipulation of DOM elements is blocked to prevent injection attacks:

  • HTML injection: element.innerHTML, element.outerHTML, element.insertAdjacentHTML
  • Event handling: element.addEventListener

# Constructor Calls

Creating certain objects is restricted to prevent potential security vulnerabilities:

  • File objects: new Blob(), new File(), new FileReader()
  • Communication objects: new WebSocket(), new Worker(), new SharedWorker(), new BroadcastChannel()
  • Code execution: new Function()
  • URL objects: new URL()

# URL Schemes

Certain URL schemes are blocked to prevent code injection and data leakage:

  • Data URLs: data:
  • Blob URLs: blob:
  • JavaScript URLs: javascript:
  • VBScript URLs: vbscript:

# Security Violations

If your script contains restricted operations, the API will return an error with details about the violation, including the line and column position.

Always test your scripts in a development environment before using them in production. The security analysis is strict and may block legitimate operations that appear suspicious.

# Next steps