WYSIWYG-editor with "add custom html feature" and secure (validated) html output?

views:

121

answers:

+1 Q:

WYSIWYG-editor with "add custom html feature" and secure (validated) html output?

I've been looking into some of the WYSIWYG editors (TinyMCE, FCKEditor, etc.) and they all seem to offer a lot of options.

However, one vital feature that seems to lack is a simple "add custom html" option which would allow the user to input any of these embed-snippets you find all around the web these days, for example a youtube video. This is different than a "edit html/source" feature as that requires actual knowledge of html and there is the risk of the user writing invalid code.

Another issue that I couldn't find much about is the output html. How would I make sure that this output causes no security invulnerabilities? Even when the user has the ability to add his own html?

So, basically, is there an open source WYSIWYG editor which covers these 2 features?

+1 A:

FCKEditor achieves this via plugins. e.g. http://sourceforge.net/projects/youtubepluginfo/

Martin Smith 2010-03-27 11:42:17

The YouTube embed was just an example, I'm looking for a feature which allows the user to embed any html snipper. This would work for youtube videos, vimeo, but also google gadgets, etc. Any service that offers embedding html snippets.

Tom 2010-03-27 11:44:03

Ah right, I'm pretty sure this would be very easy to do as a plugin as well but then you'd have to worry about the security stuff as you say. I'm not really sure what your threat model is. If this is a public website then it will still be possible for people to inject arbitrary HTML into the request submitted to the server regardless of what functionality you expose in the WYSIWYG editor.

Martin Smith 2010-03-27 11:52:22

Yeah, the output will be checked server-side. I am amazed though that such html snippet feature doesn't exist by default. I think the problem lies in the visual positioning of the html result. Eg. if you embed a youtube video, how are you going to position it without knowledge of html?

Tom 2010-03-27 11:57:14

@Tom I think the reason why "insert HTML snippet" doesn't exist is that it's a one-way street only: Once the HTML is injected, there's no way to select that injected snippet and edit it again. Plus, the danger of injecting invalid HTML is *huge*. If you force people to open the source code view and make their edits there, they are at least likely to know what they're doing.

Pekka 2010-03-27 11:59:31

Martin Smith 2010-03-27 11:59:44

That plugin seems outdated as the project seems to have evoled in CKEditor. I'm going to see if there are any more suggestions and if not will give such plugin a try.

Tom 2010-03-27 12:07:53

+1 A:

For the first part, you either have the "view source" view of the editor or, if that is too complex, I'm pretty sure such plugins already exist for all major editors. If they don't, building a "insert arbitrary HTML" plugin should be easy to implement by tweaking another simple plug-in like the youTube one linked to in Martin's answer.

The second part - sanitizing the incoming HTML - is impossible to achieve in the WYSIWYG editor itself, because it acts solely on the client side, and fills content into a form input that could be manipulated anyway, even though you turn off the "custom HTML" function in the editor.

Therefore, the sanitizing of the HTML needs to take place on server side. If you can use PHP, a tool that looks very good to me from the outside - I haven't worked with it but plan to in the near future - is HTML Purifier. It claims to produce reliable HTML with minimum hassle.

Pekka 2010-03-27 11:46:09

Thanks for mentioning HTML Purifier, seems good.

Tom 2010-03-27 11:48:11

ansaurus

tags:

views:

answers:

WYSIWYG-editor with "add custom html feature" and secure (validated) html output?

related questions