WYSIWYG editor security question (preventing malicious input)

Question

I'm using jWYSIWYG in a form I'm creating that posts to a database and was wondering how you can prevent a malicious user from trying to inject code in the frame?

Doesn't the editor need brackets (which I'd normally strip during the post process) in order to display styles?

Answer 1

I have encountered similar situations, and I have started using HTMLPurifier on my PHP backend which will prevent every attack vector I can think of. It is easy to install, and will allow you to whitelist the elements and attributes. It also prevents the XSS attacks that could still exist whilst using htmlentities.

Answer 2

Ultimately, the output is in your own hands when you will be inserting it into the database, a time you need to make sure that you strip away anything malicious. The simplest way will be to probaly use htmlentites against such data, however, there are other ways bad guys can bypass that. Here is a nice script also implemented by popular Kohana php framework for its input class against the possible XSS attacks:

http://svn.bitflux.ch/repos/public/popoon/trunk/classes/externalinput.php

Answer 3

If the editor allows arbitrary HTML, you're fighting a losing battle since users could simply use the editor to craft their malicious content.

If the editor only allows for a subset of markup, then it should use an alternative syntax (similar to how stackoverflow does it), or you should escape all HTML except for specific, whitelisted tags.

Note that it's pretty easy to not do this correctly so I would use a third-party solution that has been appropriately tested for security.