SMF2 & TinyMCE WYSIWYG?

Started by rv77, June 08, 2011, 06:00:35 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

rv77

June 08, 2011, 06:00:35 AM
How much trouble would it be to use tinyMCE as a WYSIWYG editor instead of using bbc?

Arantor

#1
June 08, 2011, 06:15:34 AM
Depends. How secure do you want it?

(Hint: a good number of the last few patches in WordPress were to counter vulnerabilities introduced through the filtering applied on their implementation of TinyMCE.)
Holder of controversial views, all of which my own.

rv77

#2
June 08, 2011, 06:46:41 AM
Quote from: Once Upon A Star on June 08, 2011, 06:15:34 AM
Depends. How secure do you want it?

(Hint: a good number of the last few patches in WordPress were to counter vulnerabilities introduced through the filtering applied on their implementation of TinyMCE.)

Can't you just disable the "edit HTML" button in tinymce to disable most code insertions?

Arantor

#3
June 08, 2011, 07:29:13 AM
No, you can't. Security by design requires you to verify what the user inputs, regardless of anything else, and assume it's unsafe until you know otherwise. Trusting it to be correct just because of a tickbox means nothing, since there would be nothing to stop me using Firebug or Chrome Dev Tools to modify the form and tell it that it's safe when it isn't...
Holder of controversial views, all of which my own.

Print
Go Up Pages1
User actions
Advertisement: