WYSIWYG and XSS

I'm using TinyMCE as my online editor but I'm concerned of XSS attacks etc.. I though of replacing all < and >, but that doesn't see开发者_StackOverflow中文版m to be an option with this kind of editor and I'm not sure removing script tags is enough too (what about onclick, onmouseover and other events).

What should be my approach to avoid such attacks?

---

You have to choose, security or convenience. The WYSIWYG editor like TinyMCE is very convenient. It allows non-experts to use a web interface to update some content with or without html tags. Its the lazy way to allow someone non-technical to update html, and it comes with all kinds of hazards. When you give users access to TinyMCE interface to your database it is absolutely equal to giving them a database client to update data directly in your database.

ALso, note that today there is a great deal of Cross-Site-Scripting that is not malicious, that is in fact facebook, linkedin, youtube, etc integration that requires script references to third party domains etc.

So if you harden the TinyMCE tool so that XSS can not be added it will be useless to a serious web developer in many scenarios.

But if you need to make an add/edit/update/delete editor XSS proof you need to validate and sanitize all inputs and your best choice is to roll your own.

---

In theory you can eliminate XSS like this, but in practice its difficult. There always seems to be something that you've overlooked.

The best way I've found is to use a regular expression to only permit use of certain tags that you specify ( <strong>, <em> etc) and remove all others. You also need to look for attempts to circumvent your protection by users encoding characters.