TinyMCE and security [closed]

Question

Hello

I have a little concern !

I installed TinyMCE on my web site. I spend hours to configure it, adapt the skin, install new languages ... etc.
And then I realized that I must allow members to post HTML to be able to use this TinyMCE editor ....

it's probably a stupid question, but can it create a security hole in my site ?
I mean, if someone is able to post a message in the forum with a link to an external JS script, he can do a lot of nasty things, no ?

Comments

Hi, not sure, but f.e. I dislike Tmce because it strips too much stuff. Why for main admin? I mean e107 version of it, not originaly tinymce. And there are different templates/available buttons for roles. But for frontend submission (forum) I still use bbcodes. Editors are separated for news and forum now.

---

Html posting allows always (any system) a certain thread. However take a read here https://www.tiny.cloud/docs/configure/url-handling/
Halfway down : allow_script url.

Not sure however how its done and iff its done (local or outside stuff). (maybe internal it is one of  the html pref settings..)

---

It was a stupid question !! I just had to test myself
So until now, it looks safe. All html code that I pasted (or wrote) in TinyMCE seems to be interpreted as simple text ...
I used the CDN from jquery.com (not the same as in e107) and, if I do a "preview" part of the URL is removed, just the integrity fingerprint is kept. If I post directly, it simply displayed as "code" and nothing is downloaded (checked with the "developer tool" of Firefox)

However, the way it works is a little bit strange/surprising. I never used explicitely the "code" tag, but some part of the pasted html was converted and displayed by Geshi, while the rest was simple text ...

I think, I can live with this

 

Thanks for your answers

ericc