Is TinyMCE really secure from common vulnerability such as XSS?

Question

for those of you who don't know about tinymce, tinymce is a rich text editor for the blog post. so, what kind of website needs a text editor like tinymce, as far as i know, websites like news portal: bbc, cnbc, etc. those websites may need feature-rich text management for each post, not just paragraphs, bold, and left alignment.

as a web developer, i need to know how safe the products/packages/libraries we use in building a website for the end-user. in this case, tinymce is the focus of the question.

how tinymce works is to change plain text to html rich text, e.g : <p style="font-size:50px; color:blue;">hello world</p>. With this capability, text tinymce can be used to open common security holes such as xss

Answer 1

The basic answer is that you should never trust content from the client side no matter what it does because it is trivial to send data to the server that does not go through any of the checks performed in Javascript. This applies to TinyMCE as much as it does to any client side library. All data from the client side should be validated again on the server.

However you can give TinyMCE unsafe HTML and have it sanitize it before displaying. By default TinyMCE will remove scripts, event handlers, style tags and inline SVGs. You can restrict the valid content further to create very locked down HTML. I recommend reading the security documentation which documents a number of ways you can improve the security of your implementation.