1
phreak_phy
WYSIWYG editors Vs. Security
  • 2006/8/29 23:04

  • phreak_phy

  • Just popping in

  • Posts: 14

  • Since: 2006/1/27


The problem I have with WYSIWYG editors is that HTML has to be enabled in the forum it is being used in. In doing so I open my site up to many XSS attacks. Is there a way to have WYSIWYG without HTML enabled (WYSIWYG BBcode?), or a way to prevent XSS attacks when HTML is enabled?

I want the best of both worlds, but exposing myself to XSS attacks is not an option.

2
WarDick
Re: WYSIWYG editors Vs. Security
  • 2006/8/29 23:12

  • WarDick

  • Just can't stay away

  • Posts: 890

  • Since: 2003/9/13


Right now the only solution is to limit access to the WYSIWYG to trusted user.

Here is an article about the possible development at GIJoes Website.
Urging XOOPS to be the Best It Can Be.
Richard......

3
phreak_phy
Re: WYSIWYG editors Vs. Security
  • 2006/8/30 2:42

  • phreak_phy

  • Just popping in

  • Posts: 14

  • Since: 2006/1/27


Well, how does IPB or vB do it?

Instead of a WYSIWYG BBcodeeditor, couldnt we just have some hefty text sanitization?

Login

Who's Online

218 user(s) are online (158 user(s) are browsing Support Forums)


Members: 0


Guests: 218


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Mar 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits