How can I prevent user to input something like:
<p style="left: 0px; position: absolute; top: 0px; width: 1000px; height: 1000px; background-color: #000000;">Message</p>
in the source view of FckEditor?
Of course, I want user to be able to put custom tag so I need to provide user with Source View ability. So I cannot solve the problem by disable the source view option.
I try to search in the forum but I have no luck. I couldn't find any useful information to solve the problem. If anyone has any solution, please help me.
<p style="left: 0px; position: absolute; top: 0px; width: 1000px; height: 1000px; background-color: #000000;">Message</p>
in the source view of FckEditor?
Of course, I want user to be able to put custom tag so I need to provide user with Source View ability. So I cannot solve the problem by disable the source view option.
I try to search in the forum but I have no luck. I couldn't find any useful information to solve the problem. If anyone has any solution, please help me.
RE: Security concern on UI of site with FckEd
you could always add in a filter in the server side that checks for CSS like you've described.
RE: Security concern on UI of site with FckEd
- Add filter on server side is one solution, Thank you.
Is there any configuration on FCKEditor that I can set?
RE: Security concern on UI of site with FckEd
There are lots of ways to inject anything in the html, so such filter must be really aggressive or a scum bag will find a way to inject something nasty and you'll have a big headache.
RE: Security concern on UI of site with FckEd
Well it is still need the server side check, right? Because people can inject some dirty code anyway without source view. So I guess the best way is to use norml textbox. > <
RE: Security concern on UI of site with FckEd
ex:
^<(/)?(LINK|IFRAME|FRAMESET|FRAME|APPLET|OBJECT|SCRIPT)([^>]*)>
There more to it then this but should get you started.