The readme file says:

It's best when using this editor to use an input format that has all filters disabled.

Isn't this a security hole? For example: I could include this in my posting: <div style="XYZ">, and from what I understand, you can get the "XYZ" to run javascript of your choosing.

I have a follow-on question, too: Supposing it is ok to have an input format with all filters disabled, as suggested in the readme: How, then, could I get it so that that is the default input format for anyone using TinyMCE, while retaining "Filtered HTML" as the default for everyone else?

Thanks!
Dan

Comments

heine’s picture

heine commented

Isn't this a security hole?

Yes it is.

This should be removed from the readme.

JStarcher’s picture

JStarcher commented

Use the Safe HTML filter instead.

XGI-Wrath’s picture

XGI-Wrath commented

Use the Safe HTML filter instead.

Thanks JStarcher!

This seems to a good, security-conscience way to resolve the issues with the default HTML filter striping out all the styles of the output.

JStarcher’s picture

JStarcher commented

This solution has worked great for me as well. I believe this should be in the readme as it effects probably the majority of people using the TinyMCE module.

pomliane’s picture

pomliane commented
Status: Active » Closed (won't fix)

This version of TinyMCE is not supported anymore. The issue is closed for this reason.
Please upgrade to a supported version and feel free to reopen the issue on the new version if applicable.

This issue has been automagically closed by a script.