How do you secure a WYSIWYG editor?

How do you secure a WYSIWYG editor?

am 15.01.2008 20:18:51 von firewoodtim

I use tinyMCE to provide a formattable textarea for the users of my
website. How do I filter data so complex as that?

Re: How do you secure a WYSIWYG editor?

am 15.01.2008 20:38:27 von axlq

In article ,
wrote:
>I use tinyMCE to provide a formattable textarea for the users of my
>website. How do I filter data so complex as that?

What do you want to filter? With TinyMCE you can control the
features that a user puts into the text. If the user tries to
insert some HTML tags you don't allow (use any of the regexp
functions or stristri()), simply warn the user and redisplay the
text until the user fixes it.

-A

Re: How do you secure a WYSIWYG editor?

am 15.01.2008 21:17:39 von thyb0

firewoodtim@yahoo.com wrote:
> I use tinyMCE to provide a formattable textarea for the users of my
> website. How do I filter data so complex as that?

You mean sanitize it for SQL?
Basically, tinyMCE seems to output only a html string, I don't see anything
special with it, you shouldn't worry more than usual about it.

-thib´

Re: How do you secure a WYSIWYG editor?

am 16.01.2008 11:19:09 von Micah

Ont top of that you can use strip_tags($str, $allowedtags) to only
allow certain tags. You may also want to check out the Wordpress code
as they also use tinyMCE in their admin section.

On Jan 15, 12:17=A0pm, thib=B4 wrote:
> firewood...@yahoo.com wrote:
> > I use tinyMCE to provide a formattable textarea for the users of my
> > website. =A0How do I filter data so complex as that? =A0
>
> You mean sanitize it for SQL?
> Basically, tinyMCE seems to output only a html string, I don't see anythin=
g
> special with it, you shouldn't worry more than usual about it.
>
> -thib=B4

Re: How do you secure a WYSIWYG editor?

am 16.01.2008 13:25:19 von firewoodtim

On Tue, 15 Jan 2008 21:17:39 +0100, thib´
wrote:

>firewoodtim@yahoo.com wrote:
>> I use tinyMCE to provide a formattable textarea for the users of my
>> website. How do I filter data so complex as that?
>
>You mean sanitize it for SQL?
>Basically, tinyMCE seems to output only a html string, I don't see anything
>special with it, you shouldn't worry more than usual about it.
>
>-thib´

Yes, but for XSS as well. It is possible to weed out "