WYMeditor forum

[noro]

Heyho,

My english is not quite good, but I hope you understand my question

I want to use WymEditor on my Site, now the question is: how safe is it?

Example: One User clicks on the "Show-Sourcecode" Button and Copy'n'Paste harmfull or unwanted code into the textarea. Like an YouTube Link (this little links with the 'object' tag within it) or if someone
tries to put some Javascript Code into the textbox (or the "Textbox-Source).

Does WymEditor catch this Input and "transform" it into "safe" code?

I tried it out and WymEditor add slashes, but I want to be sure, so I asked you.

If I were better in PHP I would look into the Source. I hope this question is not asked too often

Thx for help
Noro

[rostr]

It appears to me that wymeditor completely parses everything and removes any harmful content. For instance when I insert styles manually, I find that they are capitalized on the other end and rearranged.

You should be fine. If you are unsure, it never hurts to run something like HTML_Safe after the data is submitted.

[jfh]

Yes, the included XHTML Lexer/Parser normally only allows XHTML strict code, but it doesn't guarantee that it's 100% secure (this isn't WYMeditor purpose), so I'd recommend using a server-side filtering solution, such as HTML_Safe, or HTML Purifier.

[phoque]

NEVER EVER rely on the safety of clientside code!

People could simply deactivate JavaScript to bypass any of your security-features!