rich text editing, prevent embeded javascript code
Question
I made a website using the famous symfony framework. I wanted to add rich editing feature to it. And I found TinyMCE editor. But there comed a problem: how about the user embed some javascript code into the content? such as alert('hello world').
I tested wordpress, which is a very famous blog software. It faces the same problem. example .
It is no big deal if some one embed an alert script. But what if they embed some dangerous code? Have you encountered the same problem? Should I use markdown instead of html? Any good widget for markdown editing?
2 answers
solution1
3 2013-02-26 10:32:13
最好使用现有的库来清理您的用户输入,即html purifier项目: http : //htmlpurifier.org/似乎维护得很好。
solution2
1 ACCPTED 2010-08-25 13:11:25
Don't allow any embedded javascript in your user input. This is easy to clean out either on the client or the server. Have a "white list" of HTML tags you support, and remove any event listener attributes from whatever you do allow.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.