rich text editing, prevent embeded javascript code
https://stackoverflow.com/questions/3566016
-
01-10-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I made a website using the famous symfony framework. I wanted to add rich editing feature to it. And I found TinyMCE editor. But there comed a problem: how about the user embed some javascript code into the content? such as alert('hello world').
I tested wordpress, which is a very famous blog software. It faces the same problem. example.
It is no big deal if some one embed an alert script. But what if they embed some dangerous code? Have you encountered the same problem? Should I use markdown instead of html? Any good widget for markdown editing?
Solution
Don't allow any embedded javascript in your user input. This is easy to clean out either on the client or the server. Have a "white list" of HTML tags you support, and remove any event listener attributes from whatever you do allow.
OTHER TIPS
It's a good idea to use an existing library to clean out your user input, the html purifier project: http://htmlpurifier.org/ seems maintained and well made.
