TalkPHP

TalkPHP (http://www.talkphp.com/forums.php)
-   Absolute Beginners (http://www.talkphp.com/absolute-beginners/)
-   -   editor bug ! click here (http://www.talkphp.com/absolute-beginners/2050-editor-bug-click-here.html)

webtuto 01-22-2008 01:39 PM
editor bug ! click here
 
hi
i have a texteditor so my visitors can make text bold center......
the name of this editor is tinymc
but the problem if someone stop javascript from running in his browser , he can add tags
and thats a problem :s:s
and if i add htmlentities and her brothers for security
the result is not what i want bcz its like that for exemple
PHP Code:
<b>morocco</b
and i want it to be actually bold instead
is there a solution ???

ReSpawN 01-22-2008 03:45 PM
Using TinyMCE for public web applications is cool, but do not use them on the front side of the site since it's all hackable. You can exist divs, tables, bolds, links and much more. That's why it's only smart to entrust it to the administrator since he obviously doesn't want to mess up his site.

Second, stopping Javascript is pretty stupid to be honest. Proxies do it all the time, but that's why most of them also don't accept cookies and sessions. If you want give the public the opportunity to make their text bold, you should use BBCode from the "What You See Is What You Get" (WYSIWYG Editor). You can also create your own BBCode but that's a little bit harder to do.

Hope this helped. If not, I can help you out on it but using TinyMCE on the front side of the site, is not smart. :-)

Good luck!

webtuto 01-22-2008 03:59 PM
thanks man
so WYSIWYG Editor is safer than tinymc
and i can use it ?

xenon 01-22-2008 04:55 PM
TinyMCE IS itself a WYSIWYG editor. lol. He ment you should use the simple textareas which are based on a simple set of tags, and don't render HTML (like this forum's post editor - although this editor has a rich text editing option. for a cheaper implementation see phpBB2 - post editor).

webtuto 01-22-2008 05:06 PM
thanks
but what should i do ?
i cant code it by myself :s

CMellor 01-22-2008 09:51 PM
I use TinyMCE and when submitting that data into the database, I turn all that HTML code into RAW code, then when I output it again, I use html_entity_decode.

wGEric 01-22-2008 10:57 PM
Quote:
Originally Posted by ReSpawN (Post 9268)
Using TinyMCE for public web applications is cool, but do not use them on the front side of the site since it's all hackable. You can exist divs, tables, bolds, links and much more. That's why it's only smart to entrust it to the administrator since he obviously doesn't want to mess up his site.
If you provide the proper checks on the server side to make sure only the HTML you want is getting through then it is fine to have a WYSIWYG editor that everyone can use. The only problem is that you can't rely on the client side to validate submitted data because like his user, you can always get by it. Server side validation is the only safe validation.

Quote:
If you want give the public the opportunity to make their text bold, you should use BBCode from the "What You See Is What You Get" (WYSIWYG Editor). You can also create your own BBCode but that's a little bit harder to do.
TinyMCE has a BBCode editor in it so you can still have the WYSIWYG and use bbcode instead. Only thing you'd have to do is alter how the submitted data is displayed. Also add your htmlspecialchars() so no HTML is allowed.

Quote:
Originally Posted by CMellor
I use TinyMCE and when submitting that data into the database, I turn all that HTML code into RAW code, then when I output it again, I use html_entity_decode.
The XSS issue is still there. HTML is being displayed which was submitted by users.


All times are GMT. The time now is 06:41 PM.

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.1.0