Question
I´m using htmlPurifier to prevent XSS Attacks from users and everything works ok on input type="text" fields. But, when i try to clean tinyMCE textareas seems like htmlPurifier don´t work, ex.:
Simple input text field
Input.:
https://stackoverflow.com/questions/13834456
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian<script>alert("XSS")</script>Cleaning Test
Output: Cleaning Test
tinyMCE TEXTAREA
Input.:
<script>alert("XSS")</script>
Output: <script>alert("XSS")</script>
Did i miss something ? Why htmlPurifier work on a simple input text and with tinyMCE textarea don´t ?
Ps.: Magic Quotes are Off
Solution
I think i found what was wrong.
tinyMCE automatically encode entities such:
< into <
> into >
" into "
& into &
I tried to use diferent types of entity_encoding on tinyMCE but none of them seems to work as i want, so i used PHP: html_entity_decode to decode tinyMCE text area and then i used htmlPurifier to sanitize the data and everything works ok now.
Hope someone else find this usefull.
OTHER TIPS
You will need to call tinymce.triggerSave() in order to write the tinymce content back to the tinymce source element (can be a textarea) before the purifier can work.
