Menu
As far as I've noticed TinyMCE does it's own escaping of meta characters, and using htmlspecialchars() afterwards will only clutter the output and show < p > tags and the like instead of rendering them in the browser. It's an easy thing to turn off Javascript and input malicious code which will be rendered when another user with Javascript turned on visits the content.
So I need to use proper server-side validation, but exactly -how- can I do this properly considering the thousands of XSS techniques out there? Is there any efficient way which works for TinyMCE, such as "using htmlspecialchars() together with TinyMCE?"
So far I've made a white-list for allowed HTML tags, replaced any javascript: and similar :void within the content to try and protect against inline Javascript such as onClick="javascript:void(alert("XSS"));", but I feel this is not enough.
Any advice on the subject would be very appreciated, but remember that certain content needs to be shown properly on the output, this is why I use TinyMCE in the first place. I only need to be protected against the XSS.
Also, while on the subject; how can I protect myself against CSS XSS such as style="background-image: url(XSS here);"?
469
TinyMCE in itself can not be insecure, it would be completely impossible for any exploit to exist in TinyMCE that would allow anyone to hack your blog/cms or similar by injecting XSS contents since it by it self can't modify the contents of the site. The server side scripts like PHP/.
TinyMCE is an online rich-text editor released as open-source software under the MIT License. It has the ability to convert HTML text area fields or other HTML elements to editor instances. TinyMCE is designed to easily integrate with JavaScript libraries such as React, Vue.
HTMLPurifier is one solution for php: http://hp.jpsband.org/
138
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
