tags:

views:

156

answers:

3
+4  Q: 

TinyMCE security question: How do you prevent malicious input?

How do you prevent malicious input in WYSIWYG editors like TinyMCE?

I have a system with users who are not "tech savvy" (so no WMD) and need a rich text editor that posts its content into a database.

I'm worried about scripting attacks and malicious input code.

A: 

Use JQuery Validation Plugin

CodeToGlory  2010-06-15 21:04:14
javascript can be ignored by an attacker, this will not stop malicious input.
Rook  2010-06-15 21:25:49
<H1><B>***NEVER***</B></H1> rely on client-side validation
Iraklis  2010-06-16 12:24:46
Client side validation is useful and if used correctly enhances the user experience and usability, but it must ALWAYS be accompanied by server side validation. When i'm lazy i always start by server side validation and THEN implement the same checks on the client.
Iraklis  2010-06-16 12:31:35
A: 

You can't prevent that input from the client side. You can add things to get in the way (or try), but it will always be trivial to submit malicious code. You NEED to sanitize in PHP.

ALWAYS ALWAYS ALWAYS escape user submitted content before displaying it (htmlentities will usually take care of that for you).

If you want the ability to have HTML submitted (as you say you want WYSIWYG), then you'll need to white-list sanitize the HTML that was submitted. When I say white-list, I mean both tag name and attribute.

I'm not that familiar with CodeIgniter, but I did find this which looks like it may do what you want...

ircmaxell  2010-06-15 21:06:38
+8  A: 

If you only want safe html then you should use the HTML Purifier. If you want to protect against XSS and block all html then you should use $var=htmlspcialchars($var,ENT_QUOTES);

Rook  2010-06-15 21:21:40
+1 for HTML Purifier. Works really well and lets you customise what you want and what you want not at the level of single tag or even single attribute
nico  2010-06-15 21:25:32

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases