Is TinyMCE secure enough to allow users use it?
I mean, I want to allow my users use some buttons as bold, italics, etc just some basic options. What I don't know if it will prevent any xss, java script injection, etc
Is it safe enough?
Thanks

__________________
http://feudal-times.net - My PBB Game
http://gwphp.feudal-times.net - My Blog "Gaming With PHP"

I never used it so I can't tell.
But you can pass the user input through HTML Purifier - Filter your HTML the standards-compliant way! to make sure it stays clean.

As a general rule you never really let the user use a WYSIWYG editor you give them a BBCode editor or something along those lines. Though if you use it tangent with a class to clean the html (as DeMo posted about HTML purifier) then I suppose it can still be used.

__________________
"What everyone seems to forget is that while knowledge certainly is something - it's the implementation of knowledge that brings power" - Andres Galindo.

It's really slow for me. :P

__________________
VillageIdiot can have my babbies ;d

I've been considering making my own BBCode WYSIWYG editor like thing because of the HTML purifying and slowness problems with most editors. I want to make one kind of like the one WP uses.

__________________
Dingo Web Systems > http://www.dingocode.com
My Website > http://www.evanbot.com

well besides BBCODE theres allways:
Textile Textile

as an alternative.

__________________
Of course the whole point of a doomsday machine, would have been lost if you keep it a secret.

Oops, I meant to say that I want to make a editor like vbulliten uses, not WP.

__________________
Dingo Web Systems > http://www.dingocode.com
My Website > http://www.evanbot.com

I have just realized that tinyMCE can't be secure at all, because it's a javascript executed on the client pc, so practically a user can insert any html or javascript, there....
I found this: http://markitup.jaysalvat.com
Looks like a great thing, it's a plugin to jQuery :) that create a nice interface for BBcode, Textile or even HTML, so it seems like an amazing plugin...
Thanks to all

__________________
http://feudal-times.net - My PBB Game
http://gwphp.feudal-times.net - My Blog "Gaming With PHP"

@freenity

Unless i´m wrong (please correct me) then we need to ask ourselfs these questions:

1. What is JQuery ?
answer: it´s Javascript.

2. Where does JavaScript get executed ?
answer: in webbrowser clients.

So your back to your initial concerns then i guess?
If it´s the JavaScript that scares you ?

There´s allways two sides of a coin.

__________________
Of course the whole point of a doomsday machine, would have been lost if you keep it a secret.

totally right, it's the same using this plugin as using tinyMCE, but this plugin can also be used with BBCodes, so no html tags are allowed, and this works :)

__________________
http://feudal-times.net - My PBB Game
http://gwphp.feudal-times.net - My Blog "Gaming With PHP"

That's exatcly why I suggested you the use of HTML Purifier, to filter the content the user inputs into TinyMCE.

Wow, Thanks! This is exactly what I've been looking for!

__________________
Dingo Web Systems > http://www.dingocode.com
My Website > http://www.evanbot.com