Quote:
frankblack wrotes:
Quote:Thus, any WYSIWYG editors work non-sense.
? What do you mean? Every WYSIWYG editor IS non-sense or PRODUCES non-sense?
I just means WYSIWYG editors make non-sense for myAlbum-P.
myAlbum-P is a module can be posted by untrusted users usually.
Thus, I disable HTML for the module.
It is just an issue of designing.
Quote:
As for tinyeditor (or tinyMCE) WYSIWYG is a BIT safer, since this editor uses his own sanitizer. I DO know that client-side sanitizing is not the best thing to rely on, but it is a start. Maybe there should be another server-side sanitizer checking the HTML code again.
Client-side sanitizing?
It is really non-sense
Do you know the difference between "Script Insertion"(or HTML Injection) and "XSS" ?
"Allowing HTML" invites "Script Insertion" instead of "XSS".
Only server-side checking can stop malicious POSTs.
And perhaps "sanitizing HTML" at server-side make non-sense too.
Only "rebuilding HTML" at server-side protects sites from ScriptInsertion.
I've written the fact in this site long ago.
Quote:
Maybe it would be a good option to let the user of your modules decide if they want to use WYSIWYG? Make a BIG FAT warning and you are out of responsibility.
I cannot agree with it.
Because myAlbum-P is a module can be posted by untrusted users usually.
The BIG FAT warning makes non-sense for almost site owners.
Thus I always answer "Hack it by yourself with your responsibility" to anybody.
Quote:
Just a thought, as I know that
is already evil.
I cannot understand it.
What's the evil?
<b>b</b> is escaped as <b>b</b> for HTML browser.
It's quite natural.