e107help.org Q&A
0 like 0 dislike

I have a little concern !

I installed TinyMCE on my web site. I spend hours to configure it, adapt the skin, install new languages ... etc.
And then I realized that I must allow members to post HTML to be able to use this TinyMCE editor ....

it's probably a stupid question, but can it create a security hole in my site ?
I mean, if someone is able to post a message in the forum with a link to an external JS script, he can do a lot of nasty things, no ?
e107 version Version 2.2.1
closed with the note: it seems to works as expected with the default configuration
in Plugins by (51 points) 2 5 8
closed by
Hi, not sure, but f.e. I dislike Tmce because it strips too much stuff. Why for main admin? I mean e107 version of it, not originaly tinymce. And there are different templates/available buttons for roles. But for frontend submission (forum) I still use bbcodes. Editors are separated for news and forum now.
Html posting allows always (any system) a certain thread. However take a read here https://www.tiny.cloud/docs/configure/url-handling/
Halfway down : allow_script url.

Not sure however how its done and iff its done (local or outside stuff). (maybe internal it is one of  the html pref settings..)
It was a stupid question !! I just had to test myself
So until now, it looks safe. All html code that I pasted (or wrote) in TinyMCE seems to be interpreted as simple text ...
I used the CDN from jquery.com (not the same as in e107) and, if I do a "preview" part of the URL is removed, just the integrity fingerprint is kept. If I post directly, it simply displayed as "code" and nothing is downloaded (checked with the "developer tool" of Firefox)

However, the way it works is a little bit strange/surprising. I never used explicitely the "code" tag, but some part of the pasted html was converted and displayed by Geshi, while the rest was simple text ...

I think, I can live with this


Thanks for your answers

Welcome to e107 Q&A, where you can ask questions and receive answers from other members of the e107 community.
974 questions
1,371 answers
2,492 users