XSS TinyMCE – filter attributes

  • Resolved Ninos

    (@ninos-ego)


    11 years, 8 months ago

    Hey there,
    I have a security problem. Adding some html-attributes to the editor (TinyMCE) like onmouseover, onclick etc. I can run javascript on the client-browser, because there’s no function that is filtering the html attributes.
    The problem is, that I also have a front-site editor and want to filter some html-attributes. The unsecure tags like <script></script> will be removed with the strip_tags function.
    Is there already a function in wordpress or is this a security issue?

    Thanks,
    Ninos

    PS: bbpress is removing the attributes for non-admins, but I haven’t found a function that’s doing that :/

Viewing 1 replies (of 1 total)
Viewing 1 replies (of 1 total)
  • The topic ‘XSS TinyMCE – filter attributes’ is closed to new replies.