php - TinyMCE security question: How do you prevent malicious input?

897

How do you prevent malicious input in WYSIWYG editors like TinyMCE?

I have a system with users who are not "tech savvy" (so no WMD) and need a rich text editor that posts its content into a database.

I'm worried about scripting attacks and malicious input code.

303

Answer

Solution:

If you only want safe html then you should use the HTML Purifier. If you want to protect against XSS and block all html then you should use$var=htmlspcialchars($var,ENT_QUOTES);

955

Answer

Solution:

You can't prevent that input from the client side. You can add things to get in the way (or try), but it will always be trivial to submit malicious code. You NEED to sanitize in PHP.

ALWAYS ALWAYS ALWAYS escape user submitted content before displaying it (htmlentities will usually take care of that for you).

If you want the ability to have HTML submitted (as you say you want WYSIWYG), then you'll need to white-list sanitize the HTML that was submitted. When I say white-list, I mean both tag name and attribute.

I'm not that familiar with CodeIgniter, but I did find this which looks like it may do what you want...

596

Answer

Solution:

Use JQuery Validation Plugin

People are also looking for solutions to the problem: php - MD5 random generate code duplicate

Source

Didn't find the answer?

Our community is visited by hundreds of web development professionals every day. Ask your question and get a quick answer for free.

Ask a Question

Write quick answer

Do you know the answer to this question? Write a quick response to it. With your help, we will make our community stronger.

Similar questions

Find the answer in similar questions on our website.