TalkPHP

TalkPHP (http://www.talkphp.com/forums.php)
-   General (http://www.talkphp.com/general/)
-   -   TinyMCE security (http://www.talkphp.com/general/2519-tinymce-security.html)

freenity 03-24-2008 04:00 PM
TinyMCE security
 
Is TinyMCE secure enough to allow users use it?
I mean, I want to allow my users use some buttons as bold, italics, etc just some basic options. What I don't know if it will prevent any xss, java script injection, etc
Is it safe enough?
Thanks

DeMo 03-24-2008 06:13 PM
I never used it so I can't tell.
But you can pass the user input through HTML Purifier - Filter your HTML the standards-compliant way! to make sure it stays clean.

TlcAndres 03-24-2008 07:34 PM
As a general rule you never really let the user use a WYSIWYG editor you give them a BBCode editor or something along those lines. Though if you use it tangent with a class to clean the html (as DeMo posted about HTML purifier) then I suppose it can still be used.

Orc 03-24-2008 08:05 PM
It's really slow for me. :P

ETbyrne 03-25-2008 01:51 AM
I've been considering making my own BBCode WYSIWYG editor like thing because of the HTML purifying and slowness problems with most editors. I want to make one kind of like the one WP uses.

EyeDentify 03-25-2008 09:18 AM
well besides BBCODE theres allways:
Textile Textile

as an alternative.

ETbyrne 03-25-2008 03:25 PM
Oops, I meant to say that I want to make a editor like vbulliten uses, not WP.

freenity 03-25-2008 05:15 PM
I have just realized that tinyMCE can't be secure at all, because it's a javascript executed on the client pc, so practically a user can insert any html or javascript, there....
I found this: http://markitup.jaysalvat.com
Looks like a great thing, it's a plugin to jQuery :) that create a nice interface for BBcode, Textile or even HTML, so it seems like an amazing plugin...
Thanks to all

EyeDentify 03-26-2008 10:55 AM
@freenity

Unless iīm wrong (please correct me) then we need to ask ourselfs these questions:

1. What is JQuery ?
answer: itīs Javascript.

2. Where does JavaScript get executed ?
answer: in webbrowser clients.

So your back to your initial concerns then i guess?
If itīs the JavaScript that scares you ?

Thereīs allways two sides of a coin.

freenity 03-26-2008 03:35 PM
Quote:
Originally Posted by EyeDentify (Post 12808)
@freenity

Unless iīm wrong (please correct me) then we need to ask ourselfs these questions:

1. What is JQuery ?
answer: itīs Javascript.

2. Where does JavaScript get executed ?
answer: in webbrowser clients.

So your back to your initial concerns then i guess?
If itīs the JavaScript that scares you ?

Thereīs allways two sides of a coin.
totally right, it's the same using this plugin as using tinyMCE, but this plugin can also be used with BBCodes, so no html tags are allowed, and this works :)

DeMo 03-26-2008 04:09 PM
Quote:
Originally Posted by freenity (Post 12785)
I have just realized that tinyMCE can't be secure at all, because it's a javascript executed on the client pc, so practically a user can insert any html or javascript, there....
Thanks to all
That's exatcly why I suggested you the use of HTML Purifier, to filter the content the user inputs into TinyMCE. ;-)

ETbyrne 03-26-2008 04:41 PM
Quote:
Originally Posted by freenity (Post 12785)
Wow, Thanks! This is exactly what I've been looking for! ^^


All times are GMT. The time now is 06:30 PM.

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.1.0