Filtering TinyMCE javascript before outputting

1
votes

I'm using TinyMCE on a textarea, which is submitted serverside and stored in the database. An example of what I have in the database could be:

<p>&lt;script&gt;console.log("mce");&lt;/script&gt;</p>

So, the javascript is already escaped. My issue is, what if a malicious user bypasses TinyMCE and just submits raw data in textarea with unescaped javascript.

When another user needs to display this, how can I safely output it? I can't use htmlspecialchars as I would like the html content itself. I could manually check serverside (Laravel) for any <script></script tags and rewrite these, but then what about inline javascript?

1
javascriptphpdatabasesecuritytinymce
You could use HTML Purifier to filter the submission before you put in into the database. It works in PHP.KIKO Software

1 Answers

2
votes

You can never assume that data provided to you client side is "clean" or "safe". As you correctly surmised, nefarious people can bypass your front end and all of its validation.

You should always configure your front end appropriately. Validate data, configure TinyMCE to only allow those types of tags you want created, etc.

However, regardless of the front end design, you always have to re-check submitted content on the server to be safe. There is simply no way around that need.

There are many different libraries you can use server side to do this sort of validation/cleansing including the HTML Purifier that is mentioned in a comment to your original post.