Help with this security problem - copy/pasted images in Rich Text Content

To all,

I’m trying this with several RT plugins and seeing the same issue. Help!

I have a note taking function where the user can copy/paste images into the rich text field.

It appears that when you copy/paste, the image is uploaded to AWS automatically. In my column, I see this.

My Privacy Rule
I have the following privacy rule in place on the table where the user can view attached files.

The Security Issue
However, using the image url above, I can access this file externally without logging in, which is a MAJOR problem. These notes could contain company secrets and thus need to be secured.

Try it yourself and let me know if you can access it. Also note, http, not https access which is another problem.

The docs lead me to believe this should be covered
Everything I’ve read/viewed in video for this article Protecting Data - Bubble Docs, leads me to believe that the View Attached Files setting should be covering this.

What am I missing here? There’s no way in most RT plugins to block the user from copy/pasting images. The user doesn’t view this as uploading an image and placement in the document is key to understanding what they are showing. For them, this is like Microsoft Word and must function as such. There must be a way to secure this content.


1 Like

This is a complex problem.
If you can point which RTE your are using and the whole process, is may be possible to find a solution.
I guess that you may need to probably create your own RTE plugin (maybe a fork of an existing one).

Keep in mind that a RTE is first, a text. Because of that, what the RTE return is not a file and file privacy doesn’t apply (but field privacy yes, so the content of the RTE (including link) is private… but the file itself is something else). To be able to secure the file, we need to see how the RTE plugin work when you add a file (convert to base64 or upload it to Bubble storage. In this last case, we can add a setting to make file private, if the plugin is free. If the plugin use a base64, this is already secure in the text field).

@Jici I’m using Bubble’s Rich Text Editor plugin which doesn’t offer a lot of control and no way to mark it private. It also doesn’t allow me to block copy/paste of images. I’ve pinged @Thimo about his plugin and discussed this situation with @ZeroqodeSupport as well. I’ve tried many of the others as well and found a similar issue.

I discovered this issue by accident. Zeroqode is the only one so far that has a plugin setting to make the file private. I’ve yet to test it though to see if it actually resolves this problem. I’m trying to avoid buying a lot of plugins, just to find one that works. Their demo allows me to save to the db but not actually examine what was saved.

My desired behavior would be to treat a copy/paste image as a Base64 encoded string in the text rather than have a file upload as there can be multiple images copied into the note. The link from above is from a note that has 8 copy/pasted images in it.

The behavior of the editing canvas in these plugins seem to treat it as a file upload instead. I can see the file in my file manager.

I love Bubble but I can’t understand why security of this content isn’t a Pri 0 requirement. It’s one thing to tell me data is public by default. It’s another to not give me an out of box solution to secure it.

The problem here is how theses plugins work.
Some of them will convert the image to base64 and doing that, this will show the image into the text. Some other will upload the file to Bubble storage. If they didn’t set a field to set the privacy on that file, they are upload without this informations.

The security already exist, but plugins doesn’t always offer theses settings. If ZQ already allow that, you could probably test it by purchasing the plugin /month first. The charge is prorated for the period you use it. So if you test it and remove it fast, you will pay nothing.

You should also send a support ticket to Bubble because their own plugin should have a privacy setting for files.

@jici, I did log a ticket with Bubble and was told it wasn’t supported.

1 Like

@Jici Just realized that no, Zeroqode doesn’t not have a way to mark the content private.

And did you find one that convert the file to base64? (I think TinyMCE do it, but I’m not sure).
If not, your best bet will be to create your own.

I’ve looked at TinyMCE. It looks promising as long as I don’t go over the 10,000 calls a month.

1 Like