How do I let user insert HTML, but not other stuff

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

How do I let user insert HTML, but not other stuff

Post by Luke »

I have a news module that uses tinymce as a wysiwyg editor. I want my app to allow html formatting from this editor, but not javascript or sql. What do you guys do for this type of thing?
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

preg*
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

well even with preg... what types of things do I check for?
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

disallow event handlers (onClick, onSubmit, onMouseOver etc.,) and of course the <script> tags.

However, as the other thread on this topic suggests.. it's best you use a different markup to allow such editing, e.g. bbcode

:)
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

hmm... maybe tinymce has some such markup... I will look into it,
Post Reply