Tinymce injection security

Question

I have public editor where users can share notes using TinyMCE but I'd like to prevent them of inserting JavaScript or SQL (any type of scripts) in this editor.

So my question is: how?

Here is my editor code

<script src="{{asset('js/tinymce/tinymce.min.js')}}"></script>
<script>
    $(document).ready(function() {
      tinymce.init({
        selector: '.editor',
        toolbar: [
        'bold italic alignleft aligncenter alignright | bullist numlist outdent indent blockquote | removeformat underline strikethrough subscript superscript | hr | link unlink | table',
        'fontselect formatselect fontsizeselect forecolor backcolor'
        ],
        plugins: 'advlist, lists, image, codesample, imagetools, wordcount, link, colorpicker,table,textcolor,hr',
        menubar: false,
        advlist_bullet_styles: 'square',
        advlist_number_styles: 'lower-alpha,lower-roman,upper-alpha,upper-roman',
        branding: false,
        height : 300,
        removed_menuitems: 'tools, insert, view',
        browser_spellcheck: true,
        contextmenu: false
      });
    });
</script>

score 1 · Answer 1 · answered Nov 18 '20 at 02:18

1

There is a public class named AntiXSS, you can use this like below.

string safeHtml = AntiXss.GetSafeHtmlFragment(html);

Usually in your situation, SQL injection will not be a threat due to the SQLi's principal.

answered Nov 18 '20 at 02:18

TIAOWANG

82
2

I just add this to my script? How should we test it? – mafortis Nov 18 '20 at 02:29
use this in your backend. If you want to test, you can try to input something like when your web service was run. – TIAOWANG Nov 18 '20 at 03:18

Tinymce injection security

1 Answers1