tags:

views:

22

answers:

1
Q: 

rich text editing, prevent embeded javascript code

I made a website using the famous symfony framework. I wanted to add rich editing feature to it. And I found TinyMCE editor. But there comed a problem: how about the user embed some javascript code into the content? such as alert('hello world').

I tested wordpress, which is a very famous blog software. It faces the same problem. example.

It is no big deal if some one embed an alert script. But what if they embed some dangerous code? Have you encountered the same problem? Should I use markdown instead of html? Any good widget for markdown editing?

A: 

Don't allow any embedded javascript in your user input. This is easy to clean out either on the client or the server. Have a "white list" of HTML tags you support, and remove any event listener attributes from whatever you do allow.

Robusto  2010-08-25 13:11:25

related questions

What JavaScript patterns do you use most?
Javascript events
What style do you use for creating an "class" in JavaScript?
Graphing JavaScript Library
What's the difference in closure style
Getting the text from a drop-down box
How to specify javascript to run when ModalPopupExtender is shown
Length of Javascript Associative Array
How Do I Post and then redirect to an external URL from ASP.Net?
How to set up a CSS switcher in ASP.NET
Wrapping lists into columns
Javascript keyboard events primer? (or rather: help me with my custom dropdown)
Http Auth in a Firefox 3 bookmarklet
Best Debugging Tools for JavaScript/xulrunner Development
How can I turn a string of HTML into a DOM object in a Firefox extension?
Call ASP.NET Function From Javascript?
Javascript troubleshooting tools in IE
MAC addresses in JavaScript
Capturing TAB key in text box
CSS Background Color in Javascript
How can I make the browser see CSS and Javascript changes?
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP .Net Custom Client-Side Validation
What JavaScript library would you choose for a new project and why?
Detecting font in JavaScript