Open BaHeK1994 opened 5 years ago
TomaszGasior
commented
5 years ago I don't see any issue related to this bundle here. Regardless of used WYSIWYG editor you MUST do validation/sanitization on your own, using good tools like: https://github.com/tgalopin/html-sanitizer-bundle
BaHeK1994
commented
5 years ago Without an editor, the default is to escape HTML characters and there are no problems. It turns out this bandl adds only a few javascript lines and no backend check? You can, by default, add the same html-sanitizer-bundle to yourself and add backend processing to the html so that developers can safely install the bundle from the composer without unnecessary actions.
TomaszGasior
commented
5 years ago Without an editor, the default is to escape HTML characters
No, it isn't. Symfony framework itself does not escape HTMl characters while saving. Escaping/sanitizing should be done using sanitizer while saving or reading or on template side, using twig filter. IMHO this bundle is not responsive for handling data the way you want.
You may want provide your application repository to see how is done "submit" action shown on screenshot.
BaHeK1994
commented
5 years ago When displaying, twig shields HTML by default.
{% set var = '<p>test</p>' %}
{{ var }}output:
<p>test</p>
Unfortunately, I can not provide access, because the private repository. To generate the form used https://github.com/sonata-project/SonataAdminBundle
lukepass
commented
2 years ago Using FOSCKEditorBundle is as simple as this:
->add('content', CKEditorType::class, [
'config_name' => 'advanced',
'required' => false,
'sanitize_html' => true, // this is the important line
])
1) Open form
2) Open browser console
3) CKEDITOR.instances[textareaId].destroy(true);
4) Paste XSS
5) Submit
