Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Script tags are executed when switching out of codeview #1462

irandamay opened this issue Dec 2, 2015 · 4 comments


None yet
7 participants
Copy link

commented Dec 2, 2015

If the user puts script tags into the codeview, the scripts are executed when trying to switch back to WYSIWYG. This happens for both inline scripts, e.g. <script>alert('test');</script> and external ones, e.g. <script src="http://path/to/foo.js"></script>.

It has the side effect of also trapping the user in the codeview if they enter some invalid JS. I came across this while trying to test my own input sanitization by putting <script>test</script> into the codeview since all I was trying to do was make sure that my HTML cleaning was stripping script tags out, and it trapped me in the codeview with the JS error: Uncaught ReferenceError: test is not defined



This comment has been minimized.

Copy link

commented Jun 5, 2016

TinyMCE for example has the ability to restrict the types of tags that users can enter. This bug should be fixed as soon as possible.


This comment has been minimized.

Copy link

commented Jun 25, 2016

The script tags should be preserved but not executed when going back into the WYSIWYG mode. Is there a way to use an event handler to sanitize the code for accomplishing this?


This comment has been minimized.

Copy link

commented Aug 25, 2016

Any update on this issue?

@lqez lqez added + Priority: High and removed important labels Nov 15, 2017


This comment has been minimized.

Copy link

commented Sep 21, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.