Tinymce a security risk?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
zephid
Forum Newbie
Posts: 2
Joined: Mon Jul 09, 2007 12:27 am

Tinymce a security risk?

Post by zephid »

I considering to use tinymce as an editor for a forum and comment system, my question is then, would it a security risk to use that kind of WYSIWYG editing?
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

Security? No. In fact, it may increase security (don't depend on it, though).
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

It's only a security risk if you accept its submissions as authoritative.
zephid
Forum Newbie
Posts: 2
Joined: Mon Jul 09, 2007 12:27 am

Post by zephid »

feyd wrote:It's only a security risk if you accept its submissions as authoritative.
I am using mysql_real_escape_string on all queries to the database, would that be good?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

zephid wrote:I am using mysql_real_escape_string on all queries to the database, would that be good?
I was actually referring to XSS as well as malformed tags and such, but yes, you should escape the input always too.
Post Reply