JavaScript-filtering of results submitted by Rich Text editor

General Rich text editor such as Baidu's ueditor, after editing directly return a piece of HTML code, in order to prevent XSS, want to ask everyone how to filter after storage is a better solution? (The front desk reads the HTML directly, such as the problem itself is submitted with a rich text editor)

Currently know can be used:

• Rich Text Editor set plain text paste (this may be inconvenient for users, but the SF editor seems to do so, hyperlinks are retained)
• Some class libraries such as the kses PHP HTML Filter class set the label and label properties to keep

Do you have any good and efficient way to do it?

Reply content:

General Rich text editor such as Baidu's ueditor, after editing directly return a piece of HTML code, in order to prevent XSS, want to ask everyone how to filter after storage is a better solution? (The front desk reads the HTML directly, such as the problem itself is submitted with a rich text editor)

Currently know can be used:

• Rich Text Editor set plain text paste (this may be inconvenient for users, but the SF editor seems to do so, hyperlinks are retained)
• Some class libraries such as the kses PHP HTML Filter class set the label and label properties to keep

Do you have any good and efficient way to do it?

Plain-text stickers are used to reduce the number of invalid HTML code, and have no effect on preventing XSS. Any JS code on the client is naked in front of the attacker.

If you only need the usual rich text edits and don't need to change the HTML code directly, consider UBB code
If you have to support HTML directly, you can find an XSS filter for open source projects such as Wordpress/drupal

I don't agree with the "pick-up" scheme @ Pachitea.
If the purpose is anti-XSS, in front of the anti-stop is not resistant, it must be filtered on the server.
For example, once Renren's log edit box uses TINYMCE, the front end with the filtering function (Escape Dafa), so they are not filtered on the server! The front-end as long as the JS ban, let TINYMCE load failure, exposing the bare textarea, you can inject JS code.

So to prevent this, no matter how strict the front-end, the service must be done again.

To be ruthless, escape the "<" and ">".
A little looser, the script, iframe and other tags removed.

The solution to this problem is simple
There are multiple ways one is that Base64 encoding decoding is a

is basically escaping, keeping the output intact,
Filter this block need to do this, add a method Preg_match URL of the general is not the site is replaced

Look at the Ueditor Baidu, can only say that a lot of things designed not enough freedom and flexibility. The keyword "filter rules" also can not find where to set, so it is recommended not to use ueditor because it is not mature enough!

That suggests you can:

• Kindeditor pick it up and use it.
• WYSIHTML5 a custom style because it's a kernel

Based on the WYSIHTML5 production Rich text Editor can refer to here bootstrap-wysihtml5.

The above two rich text editors have a filtering mechanism, you can read the documentation to know.

