TinyMce Protection Against Cross-Site Scripting

Question

TinyMce Protection Against Cross-Site Scripting

We plan to use TinyMce in JSP.

We have a standard security filter that tracks input from forms. It identifies unsafe code entry attempting to perform any intrusion / crossite scripting.

My questions are as follows:

When using tinyMce, are there any third-party libraries (paid or open source) that would help scan and identify any unsafe code trying to use scripts with multiple sites?

(I found one link in StackOverflow that mentions the PHP library, but I was looking for something in Java.)

If we don’t have a way to protect Tinymce, then what is the general design consideration that needs to be taken to make it as safe as possible?

+4

java sql-injection tinymce

kensen john Jun 2 '11 at 18:53

source share

1 answer

Stripling warrior · Accepted Answer · 2011-06-02T19:05:51+0000

SQL injection should be something you are worried about in your data layer and not in your interface. If you use proper methods to prevent SQL injection when inserting data into your database, you don’t have to worry about doing anything with TinyMCE or any other part of your front-end code.

Cross-site scripting attributes, on the other hand, are a completely different story. The best strategy for preventing cross-site scripting attacks is usually HTML coding for anything you don’t create in your interface. However, since you are using TinyMCE, I assume that you want to allow user-generated HTML code on your site. In this case, you need to find "HTML Sanitizing."

Here are some links to get started:

You can decide whether you prefer to misinform HTML before storing it in the database, after extracting both from the database. There are pros and cons to each strategy.

TinyMce Protection Against Cross-Site Scripting

More articles: