filtering out select style attributes and blacklisting attributes

Question

I have tinymce inserting posts into a database where they'll be subsequently pulled and put into a webpage. The problem is that some of the elements are interfering with page elements.

eg. Maybe the HTML that's being copy / pasted will have a table HTML tag with an id that conflicts with another id already on the page. Or maybe in the style attribute there'll be a z-index so the post cover up certain elements of the page.

I don't really want to blacklist attributes because (XSS considerations aside) I'm thinking all should be considered fair game (well maybe not event handlers) and if it interferes with the layout I can disable those specific tags / attributes on a case by case basis.

Any ideas?

Answer 1

There are several ways to filter your content:

1. use the tinymce paste_preprocess parameter to filter pasted content before insertion
2. you may use the valid_elements, valid_children and extended_valid_elements setting to allow which elements and attributes tinymce accepts as valid html tags (this is something you don't want?)
3. you can filter your code before writing it to your database
4. You could filter it when putting the content from database into another web page