Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Using CodeIgniter General Help WYSIWYG HTML Editor and Security
WYSIWYG HTML Editor and Security
  • Offline whatsmyname
    Newbie
  • *
  • Posts: 5
    Threads: 2
    Joined: Oct 2019
    Reputation: 0
#1
10-22-2019, 03:49 PM

Hello and thank you for taking the time to read this.

Im using a WYSIWYG HTML Editor (CKEditor) to allow the end user to use HTML. This will then be outputted at a later stage via the website. 

  • Is the XSS filter from the security class (https://codeigniter.com/user_guide/libra...urity.html) sufficient enough? 
  • Should I add additional protection such as HTML purifier?
  • Should I use regex or strip tags to filter any unwanted tags?
  • What's the best practice outputting data from WYSIWYG HTML Editor?




Thanks in Advance.
Reply
  • Offline Avega Soft
    Member
  • ***
  • Posts: 68
    Threads: 8
    Joined: Jan 2019
    Reputation: 2
#2
10-23-2019, 12:17 AM

Good questions join them.
Reply
  • Offline PaulD
    Posting Freak
  • *****
  • Posts: 1,061
    Threads: 42
    Joined: Mar 2015
    Reputation: 73
#3
10-23-2019, 12:54 AM

I am no expert on this and have struggled with this myself. HTML purifier is a must, as it also tidies up a lot of the messy HTML these WYSIWIG editors produce. Also it will strip out unwanted tags and, from my vague recollection, where you whitelist the allowed tags. When I tested the purification I found it to be excellent. I could not catch it out.

Personally, I have stopped using these editors, only because of the mess users make with these things. I now just have a form with, for instance, a title field, a subtitle, a paragraph subtitle, a paragraph content, and the ability to add a paragraph or add an image etc. It is a pain but it is a lot more manageable in the long run and preserves your layout/design. Otherwise you get massive purple titles in comic sans, writing with red backgrounds and green text, and usually tons of unwanted line breaks.

Anyway, if anyone knows of a better way to implement WYSIWYG I would love to hear it too.

However, I do like them and there are scenarios where they make sense. I find them unworkable and not as user friendly as you might imagine.

Paul.
Reply
  • Offline whatsmyname
    Newbie
  • *
  • Posts: 5
    Threads: 2
    Joined: Oct 2019
    Reputation: 0
#4
10-23-2019, 05:33 AM

Thanks for your reply @PaulD - This indeed is a touchy subject and has been for myself for many years on the best outcome. - I think a limitation on tags allowed bundled with XSS is the best possible way to approach this.

I believe this may be the best way:

1) Use HTML purifier
2) Limit the amount of tags your user may use within Use HTML purifier. e.g. headings, strong, paragraph, ul/li
3) Use XSS protection provided by CodeIgniter
4) Do not use strip_tags() unless you plan to strip all tags (https://www.reddit.com/r/PHP/comments/nj...trip_tags/)

If anybody can add to this please let me know.
Reply




Theme © iAndrew 2016 - Forum software by © MyBB