You are here: Re: How do you secure a WYSIWYG editor? « PHP Programming Language « IT news, forums, messages
Re: How do you secure a WYSIWYG editor?

Posted by firewoodtim on 09/29/19 12:00

On Tue, 15 Jan 2008 21:17:39 +0100, thib´ <thyb0@coralsnake-team.com>
wrote:

>firewoodtim@yahoo.com wrote:
>> I use tinyMCE to provide a formattable textarea for the users of my
>> website. How do I filter data so complex as that?
>
>You mean sanitize it for SQL?
>Basically, tinyMCE seems to output only a html string, I don't see anything
>special with it, you shouldn't worry more than usual about it.
>
>-thib´

Yes, but for XSS as well. It is possible to weed out "<script>" tags
fairly easily, but there are other ways inject malicious code. For
example,
<a href=# onclick="alert('Hi, I am a malcious intruder!!');return
true;">.

I suppose one could take an item-by-item, blacklist approach and use
regex to take out that particular code as well, but it looks like an
endless merry-go-round situation to me. There are enough surely
enough CMS's around that there must be a standard way to filter
textarea data, so exploits are made too difficult to bother with.

Does anyone know how most CMS's or bulletin boards like this one
filter their input?

 

Navigation:

[Reply to this message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация