Menu
I want to use Summernote WYSIWYG editor on my website that I am making with Laravel 5.2, however, here is one problem: when I submit my form, I get all my code in HTML. Because of that, I can't escape my HTML, because all style will not work, but if I don't escape HTML, my website will be vulnerable to XSS. What should I do?
Thanks for your help.
288
The Summernote Editor is a free & open-source super simple WYSIWYG editor based on Bootstrap & jQuery. It is a JavaScript library that can be useful to build the WYSIWYG editors online.
Insert an image. // @param {String} url // @param {String|Function} filename - optional $('#summernote'). summernote('insertImage', url, filename);
I am really sorry because the solution that solved my problem is sooooooo late, but I saw that 4 people were interested in this question, so I decided to post it.
Even if first I didn't notice, later I found out that the best thing to use in this situation is a HTML purifier for Laravel 5 (for example this one) because it cleans all unsafe html, so result should be safe even if user can post with html. That makes summernote pretty safe to use. I do not really know, if htmlpurifier still has any security issues, but all my tests were filtered as needed, so I think it should be secure enough.
Hope it helps someone. Sorry again, forgot about this question after I found a solution...
182
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
