SlashmanX
commented
12 years ago I think that rather than switching to a different editor, it would be easier to simply strip all entered script tags in the current editor.
Note that the one currently used is WYSIHTML5 and the issue of security is addressed here. It would seem that I have neglected to include a server side sanitizer, which I believe was due to me trying to get Tweets embedded into the editor, which meant I temporarily allowed script tags. I found a workaround for the tweets problem, so this can easily be sorted without changing editors
At this time you can enter any HTML content on the WYSIWYG editor, this means that you can embed external or inline JS and/or other malicious content.
Proof of concept: http://xforum.slashmanx.com/topic/testing-embeds/
I injected a script there:
<script>document.location=....;</script>A safe HTML javascript editor should be considered (like tinymce or similar), or the use of BBCode or similar.