WYSIWYG HTML Editor and Security - Printable Version +- CodeIgniter Forums (https://forum.codeigniter.com) +-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5) +--- Forum: General Help (https://forum.codeigniter.com/forumdisplay.php?fid=24) +--- Thread: WYSIWYG HTML Editor and Security (/showthread.php?tid=74672) |
WYSIWYG HTML Editor and Security - whatsmyname - 10-22-2019 Hello and thank you for taking the time to read this. Im using a WYSIWYG HTML Editor (CKEditor) to allow the end user to use HTML. This will then be outputted at a later stage via the website.
Thanks in Advance. RE: WYSIWYG HTML Editor and Security - Avega Soft - 10-23-2019 Good questions join them. RE: WYSIWYG HTML Editor and Security - PaulD - 10-23-2019 I am no expert on this and have struggled with this myself. HTML purifier is a must, as it also tidies up a lot of the messy HTML these WYSIWIG editors produce. Also it will strip out unwanted tags and, from my vague recollection, where you whitelist the allowed tags. When I tested the purification I found it to be excellent. I could not catch it out. Personally, I have stopped using these editors, only because of the mess users make with these things. I now just have a form with, for instance, a title field, a subtitle, a paragraph subtitle, a paragraph content, and the ability to add a paragraph or add an image etc. It is a pain but it is a lot more manageable in the long run and preserves your layout/design. Otherwise you get massive purple titles in comic sans, writing with red backgrounds and green text, and usually tons of unwanted line breaks. Anyway, if anyone knows of a better way to implement WYSIWYG I would love to hear it too. However, I do like them and there are scenarios where they make sense. I find them unworkable and not as user friendly as you might imagine. Paul. RE: WYSIWYG HTML Editor and Security - whatsmyname - 10-23-2019 Thanks for your reply @PaulD - This indeed is a touchy subject and has been for myself for many years on the best outcome. - I think a limitation on tags allowed bundled with XSS is the best possible way to approach this. I believe this may be the best way: 1) Use HTML purifier 2) Limit the amount of tags your user may use within Use HTML purifier. e.g. headings, strong, paragraph, ul/li 3) Use XSS protection provided by CodeIgniter 4) Do not use strip_tags() unless you plan to strip all tags (https://www.reddit.com/r/PHP/comments/nj5t0/what_everyone_should_know_about_strip_tags/) If anybody can add to this please let me know. |