Editing and Saving Custom HTML Using Javascript - How Safe Is It?

Question

Editing and Saving Custom HTML Using Javascript - How Safe Is It?

For example, I have a tool with Javascript support . You use links to add html-blocks of elements (for example, input fields) and TinyMCE for editing text. They are saved using the autosave function, which makes an AJAX call in the background for certain events.

The save function is called, the database is protected, but I'm wondering if the user can manipulate the DOM to add anything that he wants (like custom HTML or an unwanted script).

How safe is this , if at all?

The first thing that comes to mind is that I probably should look for and remove inline javascript from the resulting HTML code.

Using PHP, jQuery, Ajax.

+5

javascript jquery html ajax php

Nick zinger Apr 26 '12 at 8:25

source share

3 answers

inline-html ? , . ALL , .

inline-js .

!

+1

Zegl 26 . '12 8:28

, , , . StackOverflow , . - .

I would choose to sanitize the input server side so that everyone gets their contribution to disinfection, regardless of whether they blocked scripts or not. Using something like this: http://www.phpclasses.org/package/3746-PHP-Remove-unsafe-tags-and-attributes-from-HTML-code.html or http://grom.zeminvaders.net / html-sanitizer implemented using AJAX would be a pretty good solution.

+1

Josh davenport Apr 26 '12 at 8:29

source share

Nadh · Accepted Answer · 2012-04-26T08:28:18+0000

Unsafe You can never trust a customer . It is easy even for a novice to change the client-side DOM (for example, install Firebug for Firefox).

While in order to receive HTML code, the client must make sure that you validate and deactivate it correctly using PHP on the server side.

Editing and Saving Custom HTML Using Javascript - How Safe Is It?

More articles: