With tinymce, do you need to handle html markup?

Question

With tinymce, do you need to handle html markup?

If you are using tinymce, does that mean you should handle HTML parsing on postback (while storing data in db)?

i.e. do you need to parse the output and make sure the hacky script was sent back or can you make tinymce convert the html to safe markup?

+2

tinymce

mrblah 23 oct. 09 at 12:47

source to share

3 answers

Joachim sauer · Answer 1 · 2009-10-23T12:50:15+0000

You can never rely on a client to ensure that the content they host on your server is safe.

It's too easy for a potential attacker to disable these client-side measures and submit any dangerous content they want.

Therefore, you always need to validate your content on the server side, no matter which editor you are using in the browser.

Daniel A. White · Answer 2 · 2009-10-23T12:49:23+0000

Yes, always !!! Consider whether to turn off the editor or not turn on javascript.

jqa · Answer 3 · 2009-11-03T00:52:48+0000

We use "valid element" checking to make sure that we only get standard HTML from the editor. No scripting, no events on attached tags (like anchor tags with onclick events). Just boring, plain HTML.

http://wiki.moxiecode.com/index.php/TinyMCE:Configuration/valid_elements

With tinymce, do you need to handle html markup?

More articles: