Page 1 of 1

Tinymce a security risk?

Posted: Mon Jul 09, 2007 12:30 am
by zephid
I considering to use tinymce as an editor for a forum and comment system, my question is then, would it a security risk to use that kind of WYSIWYG editing?

Posted: Mon Jul 09, 2007 6:15 am
by superdezign
Security? No. In fact, it may increase security (don't depend on it, though).

Posted: Mon Jul 09, 2007 6:52 am
by feyd
It's only a security risk if you accept its submissions as authoritative.

Posted: Mon Jul 09, 2007 11:18 am
by zephid
feyd wrote:It's only a security risk if you accept its submissions as authoritative.
I am using mysql_real_escape_string on all queries to the database, would that be good?

Posted: Mon Jul 09, 2007 11:33 am
by feyd
zephid wrote:I am using mysql_real_escape_string on all queries to the database, would that be good?
I was actually referring to XSS as well as malformed tags and such, but yes, you should escape the input always too.