Security and Tinymce?
.Sam. - August 21, 2008 - 22:28
| Project: | Tiny Tiny MCE |
| Version: | 6.x-1.7 |
| Component: | Miscellaneous |
| Category: | support request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | closed |
Jump to:
Description
Another request ;-)
First of all I should say your module is great, and after much time investigating and examining the regular Tinymce module, I've found yours to be MUCH better implementation. ;-)
I have a question regarding the security using the "Full HTML" mode;
I would like to prevent users from using FULL HTML due to security reasons. What is the best way to deal with security? Do you think the diabeling the toggle between the Rich Text mode is a good practice to deal with this issue?
Thanks again for a great module.
#1
Thanks for the kind words .Sam.
Within tinytinymce the other issue you posted (http://drupal.org/node/298351) could control what is allowed - disabling the toggle would strengthen that control.
I think there are other ways to disable Full HTML. Take a look in admin/settings/filters - you can configure each of the filters, which are applied to the input formats. You can also disable specific filters (eg Full HTML) for certain user roles. If you can configure the filters I think that will give you better security as it will strip out anything that is not allowed when saving the node.
Again - changing this to fixed - but please re-open if necessary.
Steve
temp
Automatically closed -- issue fixed for two weeks with no activity.
#2
Automatically closed -- issue fixed for two weeks with no activity.