Posted by firewoodtim on 11/11/19 12:00

On Tue, 15 Jan 2008 21:17:39 +0100, thib´ <thyb0@coralsnake-team.com>
wrote:

>firewoodtim@yahoo.com wrote:
>> I use tinyMCE to provide a formattable textarea for the users of my
>> website. How do I filter data so complex as that?
>
>You mean sanitize it for SQL?
>Basically, tinyMCE seems to output only a html string, I don't see anything
>special with it, you shouldn't worry more than usual about it.
>
>-thib´

Yes, but for XSS as well. It is possible to weed out "<script>" tags
fairly easily, but there are other ways inject malicious code. For
example,
<a href=# onclick="alert('Hi, I am a malcious intruder!!');return
true;">.

I suppose one could take an item-by-item, blacklist approach and use
regex to take out that particular code as well, but it looks like an
endless merry-go-round situation to me. There are enough surely
enough CMS's around that there must be a standard way to filter
textarea data, so exploits are made too difficult to bother with.

Does anyone know how most CMS's or bulletin boards like this one
filter their input?

[Back to original message]