Forum closed. New forum available at http://community.wymeditor.org/

Safety of Wymeditor

Discuss features, code, contributions, ideas, suggestions, ...
For bugs, patches and feature requests, please post on the Trac:
http://trac.wymeditor.org/

Safety of Wymeditor

Postby noro on Sat May 31, 2008 1:26 am

Heyho,

My english is not quite good, but I hope you understand my question ;)

I want to use WymEditor on my Site, now the question is: how safe is it?

Example: One User clicks on the "Show-Sourcecode" Button and Copy'n'Paste harmfull or unwanted code into the textarea. Like an YouTube Link (this little links with the 'object' tag within it) or if someone
tries to put some Javascript Code into the textbox (or the "Textbox-Source).

Does WymEditor catch this Input and "transform" it into "safe" code?

I tried it out and WymEditor add slashes, but I want to be sure, so I asked you.

If I were better in PHP I would look into the Source. I hope this question is not asked too often ;)

Thx for help
Noro
noro
 
Posts: 1
Joined: Sat May 31, 2008 1:18 am

Re: Safety of Wymeditor

Postby rostr on Wed Jun 04, 2008 6:49 pm

It appears to me that wymeditor completely parses everything and removes any harmful content. For instance when I insert styles manually, I find that they are capitalized on the other end and rearranged.

You should be fine. If you are unsure, it never hurts to run something like HTML_Safe after the data is submitted.
rostr
 
Posts: 22
Joined: Sun Jun 17, 2007 8:21 pm

Re: Safety of Wymeditor

Postby jfh on Thu Jun 05, 2008 7:14 pm

Yes, the included XHTML Lexer/Parser normally only allows XHTML strict code, but it doesn't guarantee that it's 100% secure (this isn't WYMeditor purpose), so I'd recommend using a server-side filtering solution, such as HTML_Safe, or HTML Purifier.
User avatar
jfh
Site Admin
 
Posts: 370
Joined: Sat Sep 23, 2006 8:43 pm
Location: Belgium

Re: Safety of Wymeditor

Postby phoque on Sun Jul 06, 2008 1:47 pm

NEVER EVER rely on the safety of clientside code!

People could simply deactivate JavaScript to bypass any of your security-features!
phoque
 
Posts: 4
Joined: Sun Jul 06, 2008 1:45 pm


Return to Developers

Who is online

Users browsing this forum: No registered users and 1 guest

cron