1

I already have read a question about this here ... Now I know, that there are many libs, which allow me to sanitize my string...

The Problem

I use the TinyMCE editor for every text input on my website. Users can use HTML tags like <b>, <li>, <ol>, <p> and so on.

I don't want to "allow" cross side scripting on my website, so I need a tool, which can filter the "bad" tags :)

I want to use it like $string = sanitize($string). It doesn't have to be exactly like this, but it should be easy to use ^^

I already read about such tools, but I'm not sure which one is the best ...

Suggestions would be great :)

mwfearnley
  • 3,303
  • 2
  • 34
  • 35
  • why don't you just set your verify_html to true in tinymce? http://www.tinymce.com/wiki.php/Configuration3x:verify_html – Rachel Gallen Aug 02 '15 at 19:42
  • or you could use the set content method http://www.tinymce.com/wiki.php/API3:method.tinymce.Editor.setContent – Rachel Gallen Aug 02 '15 at 19:44
  • 1
    is this secure ? I mean the thing is, that jquery isnt server side ? –  Aug 02 '15 at 19:48
  • i think it is secure yes. its tinymce verified. but you should read this guy's solution https://www.leighton.com/blog/stop-tinymce-in-wordpress-3-x-messing-up-your-html-code – Rachel Gallen Aug 02 '15 at 19:50
  • I use it raw / without wordpress ... second i want to prevent adding custom html tags like –  Aug 02 '15 at 20:12
  • yeah i thought that i was looking at the php option it can be added into any site but if you'd rather not use script tags well use one of the other 2 options ... defo both look good but i think to get the best out of verify you have to initialise it on setup – Rachel Gallen Aug 02 '15 at 20:14
  • 3
    Of course it's not secure, purely client-side validation is never secure. – Sean Burton Oct 03 '17 at 13:14

1 Answers1

0

You must do this check on the server side. It looks like your's is PHP (or Perl?). See this: Sanitizing HTML input

Community
  • 1
  • 1
niry
  • 3,238
  • 22
  • 34