tags:

views:

251

answers:

1

We ve been using WYSIWYG Editor for more than i can remember. Easily pasting a javascript in this kind of editor make it a sitting duck for XSS attacks.

Any one know any WYSIWYG Editor than integrated with XSS preventions?

Solutions and suggestions are welcome.

+4  A: 

A WYSIWYG editor is all client-side (unless it's packaged along with some server component, which would be platform-specific). You cannot protect against user attacks from the client-side; users can always skip the editor and post their XSS right in the HTTP request.

You never want to throw away information at the input or storage phases. Everything you do to prevent XSS should happen when you write user input back out to the screen. The simplest way is to simply encode everything. Obviously on a site like Stackoverflow, where some user input needs to be written eventually as markup, it needs to be scrubbed first.

If we know some more about what platform you're using, we could probably recommend some well-tested, proven libraries that do what you need.

Rex M