CODEWITHSUNDEEP
htmltinymce
Frank Nwoko
Frank Nwoko

Reputation: 3934

Is there a way to prevent malicious codes from TinyMCE enabled textareas?

Is there a way to prevent malicious codes from TinyMCE enabled textareas?

Upvotes: 1

Views: 725

Answers (2)

Christophe Eblé
Christophe Eblé

Reputation: 8161

Yes,

You have to clean up the code on server side, a good library is HTMLPurifier in PHP. http://htmlpurifier.org/

The cool thing with HTMLPurifier is that it has the same way of declarating the HTML Structure than TinyMCE.

<?php

$config = HTMLPurifier_Config::createDefault();
$config->set('HTML','Allowed',
    'a[href|rel|rev|target|title|style],' .
    'b[style],'.
    'br[clear],'.
    'caption[style],'.
    'center[style],'.
    'col[align|charoff|span|valign|width],'.
        'colgroup[align|charoff|span|valign|width],'.
    'em[style],'.
    'font[color|face|size|style],'.
    'h1[align|style],'.
    'hr[align|noshade|size|width|style],'.
    'img[align|alt|border|height|hspace|src|vspace|width|style],'.
    'li[type|value|style],'.
    'ol[start|type|style],'.
    'p[align|style],'.
    'span[style],'.
    'u[style],'.
    'ul[type|style]');

// Block images coming from remote host
$config->set('URI', 'DisableExternalResources', true);

// Purify html
$purifier = new HTMLPurifier($config);

// Here you get the purified html
$html = $purifier->purify($html);

Upvotes: 2

Thariama
Thariama

Reputation: 50832

When the editors content is submitet you should do a server side cleanup of the content (i.e. remove scriopt tags) in order to prevent malicious code from being saved to your database.

Upvotes: 0

Related Questions