Iframe optional #33
Comments
Hi @gordonslondon, I don't think that this will soon be part of wysihtml5. Scenario: I did some extensive research on this topic. Check this test suite: and the resulting code: wysihtml5 is by now the only editor with such an approach on security. However maybe I can help you with your problem: Why did remove the iframe? |
My use case: i'm building a cms where user can style his page (this will generate css in a I've looked at the I was aware about your security concerns, also your tests shows that only IE is affected, is there any way to strip all javascript from user input in this browser ? |
To first answer your question: No there isn't a solution to that. However if you need to apply styles dynamically to the editor then I think I might help: ('editor' is in this case the instance) Find the source code here: https://github.com/xing/wysihtml5/blob/master/src/dom/insert_css.js |
Interesting, will try asap. I'm closing the issue for now. Thanks. |
@tiff I don't understand something, if we use an iframe to prevent javascript from being executed, does it mean we have to render the content in an iframe too (for a user without editing privilege). I have 10+ instances of wysihtml5, does it mean i've 10 iframes on my page ? |
Hell no :) As with any other input where users can enter html you have to strip malicious code on the server side before saving it by using a html sanitizer. There's even one html5 sanitizer that was built in perl and uses the wysihtml5 parser rules set: |
ooh, haven't seen the html5-sanitizer, looks good for me, thanks for the infos and your patience @tiff. |
Correction wysihtml5.dom.insertCSS(["div { color: red; }"]).into(editor.composer.sandbox.getDocument()); |
Thanks and sorry! |
Hi @tiff |
The iframe does not seems to be optional, i've hacked quite a lot to replace it by a div.
Is it possible in a next release to make it optional?
Thank you
The text was updated successfully, but these errors were encountered: