Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Documentation: Example serverside sanitization configurations #3032

Open
antsstyle opened this issue Dec 13, 2023 · 1 comment
Open

Comments

@antsstyle
Copy link

📝 Provide a description of the new feature or improvement

In the TinyMCE documentation here, it is pointed out that server-side filtering of input users submit through TinyMCE should take place. There is not, however, any detail about how this should be done, and issues that users would commonly face when putting input through libraries designed to perform this function.

🫶 What is the motivation?

Making the documentation more clear, and ensuring TinyMCE is used in a more secure fashion. WYSIWYG content is difficult to parse without breaking, making it awkward to sanitise server-side without careful configuration.

For instance, I've been experimenting with doing this via the HTMLPurifier library for PHP; with the default configuration, emoticon image sizes are stripped out by HTMLPurifier making them render in full size, requiring extra configuration steps and understanding to prevent it breaking content. I have not tested other TinyMCE functions yet, but would imagine it breaks a fair few of them.

🔗 What is the consequence of not having this feature?

Not having some decent examples of how to use TinyMCE in conjunction with serverside filtering makes it less likely developers will actually perform serverside sanitisation, and will rely on the TinyMCE editor sanitising content client-side before displaying it.

🚦 How important would you rate the requested feature or improvement?

Important.


If you'd like to see this implemented sooner, add a 👍 reaction to this post.

@antsstyle antsstyle changed the title TinyMCE Security Documentation: Example configurations TinyMCE Security Documentation: Example serverside sanitization configurations Dec 13, 2023
@antsstyle antsstyle changed the title TinyMCE Security Documentation: Example serverside sanitization configurations Security Documentation: Example serverside sanitization configurations Dec 13, 2023
@TheSpyder TheSpyder transferred this issue from tinymce/tinymce Dec 14, 2023
@amir-mahdih86
Copy link

Did you find any answer or solution for that?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants