문제
I´m using htmlPurifier to prevent XSS Attacks from users and everything works ok on input type="text" fields. But, when i try to clean tinyMCE textareas seems like htmlPurifier don´t work, ex.:
Simple input text field
Input.:
https://stackoverflow.com/questions/13834456
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian<script>alert("XSS")</script>Cleaning Test
Output: Cleaning Test
tinyMCE TEXTAREA
Input.:
<script>alert("XSS")</script>
Output: <script>alert("XSS")</script>
Did i miss something ? Why htmlPurifier work on a simple input text and with tinyMCE textarea don´t ?
Ps.: Magic Quotes are Off
해결책
I think i found what was wrong.
tinyMCE automatically encode entities such:
< into <
> into >
" into "
& into &
I tried to use diferent types of entity_encoding on tinyMCE but none of them seems to work as i want, so i used PHP: html_entity_decode to decode tinyMCE text area and then i used htmlPurifier to sanitize the data and everything works ok now.
Hope someone else find this usefull.
다른 팁
You will need to call tinymce.triggerSave() in order to write the tinymce content back to the tinymce source element (can be a textarea) before the purifier can work.
