anthonyjb
commented
7 years ago Hi @zeraphie - the short answer is it doesn't - you can't rely on a client side library such as CT sanitising the HTML submitted by a user to your site. That task is something that can only safely be performed server side and as such is outside the scope of CT.
What CT does do is provide some basic validation of HTML when user's use the code editor tab in the properties dialog and allow you to restrict the attributes which can be edited against different tag types. However none of these will prevent a user maliciously (or otherwise) sending you server-side save script unsafe content.
Ant
zeraphie
Hey there,
I've been wondering how content tools handles sanitising input and escaping html (to prevent stuff like cross-site scripting) as this is one of the requirements for the system I'm making to be secure, but I haven't really been able to find how it handles it (I do know that it looks like it does escape it.... just not sure how)
tl;dr Looking for documentation/faq style stuff on how content tools handles sanitising/escaping/csrf-vulnerabilities
Thanks!