TinyMCE - Making all formats and style output as classes

Question

In order to avoid XSS, I am sanitizing the input. If I allow certain attributes such as style, I am uncertain and was unable to find a definite answer if allowing style in sanitize will prevent xss or not. (the examples give in the answer are not permitted by sanitize and do not cause XSS)

So for instance, If the user chooses the left-to-right text direction or right-to-left text direction button the output will be

<span style="direction:ltr"> user text </span>

I want to avoid that and somehow make it like this

<span class="LTR"> user text </span>

and I'll change the LTR classes afterwards in different css.

I tried changing the tinymce.yml but the best I could do is break the form and not making it work.

Can someone give me an example on how to do this so I could do this for all formats and styles? (or is it better to use nokogiri or similiar to parse it and change it myself?)

score 1 · Accepted Answer · answered Dec 17 '12 at 08:48

I would do something like the following

var editor = tinymce.get('your_editor_id');
$(ed.getBody()).find('[style=direction:ltr]').attr('style','').addClass('LTR');

You may use the tinymce setup configurationparameter together with an event on which you want to perform this action:

tinyMCE.init({
   ...
   setup : function(ed) {
      ed.onKeyUp.add(function(ed, evt) {
          $(ed.getBody()).find('[style=direction:ltr]').attr('style','').addClass('LTR');
      });
   }
});

I eventually did this in ruby... tinymce configuration is unclear on how to do this — Nick Ginanto, Jan 01 '13 at 19:03

TinyMCE - Making all formats and style output as classes

1 Answers1