Server-side Editor API security considerations
The Server-side Editor API includes security measures to prevent malicious code execution. All scripts are analyzed before the execution to detect and block potentially dangerous operations.
The following categories of operations are blocked for security reasons:
Note: Regular HTTP calls using the CKEditor 5 API (like fetch() or HTTP requests through the editor’s data layer) are permitted and can be used to communicate with third-party services. The restrictions apply only to potentially dangerous browser APIs and operations.
The API blocks access to potentially dangerous global functions and APIs that could be used for malicious purposes:
- Code execution functions:
eval,Function,importScripts - Timing functions:
setTimeout,setInterval,requestAnimationFrame - Network and communication:
XMLHttpRequest,WebSocket,Worker,SharedWorker,BroadcastChannel - File and data access:
FileReader,indexedDB - Encoding/decoding:
atob,btoa,decodeURIComponent - Storage access:
localStorage,sessionStorage - Browser navigation:
history,import - Performance monitoring:
performance
Access to browser-specific APIs is restricted to prevent unauthorized document manipulation and browser state changes:
- Document creation and modification:
document.createElement,document.write,document.writeln,document.createElementNS - Document properties:
document.cookie,document.body,document.head,document.location - Window operations:
window.open,window.location,window.postMessage,window.btoa,window.atob,window.document,window.navigator,window.performance - URL manipulation:
URL.createObjectURL - Browser information:
navigator.sendBeacon,navigator.userAgent,navigator.platform - Performance data:
performance.now,performance.getEntries - History manipulation:
history.pushState,history.replaceState
Direct manipulation of DOM elements is blocked to prevent injection attacks:
- HTML injection:
element.innerHTML,element.outerHTML,element.insertAdjacentHTML - Event handling:
element.addEventListener
Creating certain objects is restricted to prevent potential security vulnerabilities:
- File objects:
new Blob(),new File(),new FileReader() - Communication objects:
new WebSocket(),new Worker(),new SharedWorker(),new BroadcastChannel() - Code execution:
new Function() - URL objects:
new URL()
Certain URL schemes are blocked to prevent code injection and data leakage:
- Data URLs:
data: - Blob URLs:
blob: - JavaScript URLs:
javascript: - VBScript URLs:
vbscript:
If your script contains restricted operations, the API will return an error with details about the violation, including the line and column position.
Always test your scripts in a development environment before using them in production. The security analysis is strict and may block legitimate operations that appear suspicious.