Hi !
I have tested to put some code javascript and php in the content of the ckeditor's textarea, and i discovered that it wasn't purified :
Examples : attributes like onclick, the tags <script> and <?php ?> etc.
I bet it's very risky to let my website's users to post code in the editor
So how can I circumvent this problem ?
Thank's
I have tested to put some code javascript and php in the content of the ckeditor's textarea, and i discovered that it wasn't purified :
Examples : attributes like onclick, the tags <script> and <?php ?> etc.
I bet it's very risky to let my website's users to post code in the editor
So how can I circumvent this problem ?
Thank's
Re: Code injection in ckeditor
Re: Code injection in ckeditor
I've found a ceertain package named htmlpurifier
do you think that it is sufficient to secure the content of the editor before inserting it in the database ?
Re: Code injection in ckeditor
You have to perform tests, check their recomendations, how do they affect the content, understand the options of that purifier and CKEditor and why you want to allow to use CKEditor for people that you don't trust...