TinyMCE 文本编辑器安全 HTML
[英]TinyMCE Text editor security with HTML
问题描述
I'm using the free JS plugin from tinymce and interested in preventing an HTML injection with the tinymce text editor.
我正在使用来自 tinymce 的免费 JS 插件,并且有兴趣使用 tinymce 文本编辑器防止 HTML 注入。 I've added this property to the INIT:我已将此属性添加到 INIT:
invalid_elements: 'script' (just for this example) invalid_elements: 'script'(仅针对此示例)
However nothing happens.然而什么也没有发生。 The editor still "accepts" the script tag and pass it on.编辑器仍然“接受”脚本标签并将其传递下去。
I looked at https://www.tiny.cloud/docs/tinymce/6/content-filtering/#invalid_elements and it should work but I don't see any change once it's added.我查看了https://www.tiny.cloud/docs/tinymce/6/content-filtering/#invalid_elements ,它应该可以工作,但添加后我看不到任何变化。
Am I doing something wrong?难道我做错了什么?
Is there a way to limit some HTML elements with this editor?有没有办法用这个编辑器限制一些 HTML 元素?
Any other tips on how to use that editor and prevent the malicious HTML..?关于如何使用该编辑器和防止恶意 HTML.. 的任何其他提示?
1 个解决方案
解决方案1
0 2022-05-03 18:25:42
TinyMCE certainly has a variety of configuration options to help you control what content is created in the editor but you can never assume that data provided to you client side is "clean" or "safe". TinyMCE 当然有多种配置选项来帮助您控制在编辑器中创建的内容,但您永远不能假设提供给您客户端的数据是“干净的”或“安全的”。 Nefarious people can bypass your front end and all of its validation if their goal is to cause harm to your system.如果不法分子的目标是对您的系统造成损害,他们可以绕过您的前端及其所有验证。
You should always configure your front end appropriately.您应该始终适当地配置您的前端。 TinyMCE has a variety of configuration options to assist with content filtering/validation ( https://www.tiny.cloud/docs/configure/content-filtering/ ) to only allow those types of tags you want created, etc including: TinyMCE 有多种配置选项来协助内容过滤/验证 ( https://www.tiny.cloud/docs/configure/content-filtering/ ) 以仅允许您想要创建的那些类型的标签等,包括:
- https://www.tiny.cloud/docs/configure/content-filtering/#valid_elements https://www.tiny.cloud/docs/configure/content-filtering/#valid_elements
- https://www.tiny.cloud/docs/configure/content-filtering/#extended_valid_elements https://www.tiny.cloud/docs/configure/content-filtering/#extended_valid_elements
- https://www.tiny.cloud/docs/configure/content-filtering/#valid_children https://www.tiny.cloud/docs/configure/content-filtering/#valid_children
- https://www.tiny.cloud/docs/configure/content-filtering/#schema https://www.tiny.cloud/docs/configure/content-filtering/#schema
- https://www.tiny.cloud/docs/configure/content-filtering/#invalid_elements https://www.tiny.cloud/docs/configure/content-filtering/#invalid_elements
However, regardless of the front end design, you should always re-check submitted content on the server to ensure it is safe .但是,无论前端设计如何,您都应该始终在服务器上重新检查提交的内容以确保其安全。 There is simply no way around that need.根本没有办法解决这种需求。 What constitutes "safe" is likely a business decision based on what your application does and who uses it.什么构成“安全”可能是基于您的应用程序的用途和使用者的业务决策。
There are many different libraries you can use server side to do this sort of validation/cleansing so depending on your specific server side setup you can find libraries that allow you to "sanitize/purify" the submitted HTML.您可以使用许多不同的库在服务器端执行此类验证/清理,因此根据您的特定服务器端设置,您可以找到允许您“清理/净化”提交的库 HTML。
I would note that TinyMCE (by default) should not allow <script> tags in your content so it is likely that such behavior could be due to your current configuration.我会注意到 TinyMCE(默认情况下)不应在您的内容中允许<script>标记,因此这种行为很可能是由于您当前的配置造成的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.