editor bug ! click here

webtuto · 01-22-2008, 12:39 PM

hi
i have a texteditor so my visitors can make text bold center......
the name of this editor is tinymc
but the problem if someone stop javascript from running in his browser , he can add tags
and thats a problem :s:s
and if i add htmlentities and her brothers for security
the result is not what i want bcz its like that for exemple

PHP Code:


			
<b>morocco</b>

and i want it to be actually bold instead
is there a solution ???

ReSpawN · 01-22-2008, 02:45 PM

Using TinyMCE for public web applications is cool, but do not use them on the front side of the site since it's all hackable. You can exist divs, tables, bolds, links and much more. That's why it's only smart to entrust it to the administrator since he obviously doesn't want to mess up his site.

Second, stopping Javascript is pretty stupid to be honest. Proxies do it all the time, but that's why most of them also don't accept cookies and sessions. If you want give the public the opportunity to make their text bold, you should use BBCode from the "What You See Is What You Get" (WYSIWYG Editor). You can also create your own BBCode but that's a little bit harder to do.

Hope this helped. If not, I can help you out on it but using TinyMCE on the front side of the site, is not smart.

Good luck!

webtuto · 01-22-2008, 02:59 PM

thanks man
so WYSIWYG Editor is safer than tinymc
and i can use it ?

xenon · 01-22-2008, 03:55 PM

TinyMCE IS itself a WYSIWYG editor. lol. He ment you should use the simple textareas which are based on a simple set of tags, and don't render HTML (like this forum's post editor - although this editor has a rich text editing option. for a cheaper implementation see phpBB2 - post editor).

webtuto · 01-22-2008, 04:06 PM

thanks
but what should i do ?
i cant code it by myself :s

CMellor · 01-22-2008, 08:51 PM

I use TinyMCE and when submitting that data into the database, I turn all that HTML code into RAW code, then when I output it again, I use html_entity_decode.

wGEric · 01-22-2008, 09:57 PM

Quote:

Originally Posted by ReSpawN

Using TinyMCE for public web applications is cool, but do not use them on the front side of the site since it's all hackable. You can exist divs, tables, bolds, links and much more. That's why it's only smart to entrust it to the administrator since he obviously doesn't want to mess up his site.

If you provide the proper checks on the server side to make sure only the HTML you want is getting through then it is fine to have a WYSIWYG editor that everyone can use. The only problem is that you can't rely on the client side to validate submitted data because like his user, you can always get by it. Server side validation is the only safe validation.

Quote:

If you want give the public the opportunity to make their text bold, you should use BBCode from the "What You See Is What You Get" (WYSIWYG Editor). You can also create your own BBCode but that's a little bit harder to do.

TinyMCE has a BBCode editor in it so you can still have the WYSIWYG and use bbcode instead. Only thing you'd have to do is alter how the submitted data is displayed. Also add your htmlspecialchars() so no HTML is allowed.

Quote:

Originally Posted by CMellor

I use TinyMCE and when submitting that data into the database, I turn all that HTML code into RAW code, then when I output it again, I use html_entity_decode.

The XSS issue is still there. HTML is being displayed which was submitted by users.