I've installed TinyMCE, which in my opinion is the best editor available so far, but unfortunately found a serious glitch regarding XSS vulnerability (a glitch I later found in all the other WYSIWYG editors available for Drupal, including FCK; except BBCode Quicktags which actually is not a WYSIWYG editor).
The problem was found while testing some XSS alert tests I've copied from http://ha.ckers.org/xss.html.
So, in the moment you are writing or editing an article, if you write those codes first in filtered HTML (or any other filtered version, I've tested it with a tightly restricted HTML Purifier setup too) and then switch to the rich-editor version; exactly in THAT moment the script is triggered; so being overlooked by the filters, since the article has not been uploaded yet. But imagine if we are talking about a destructive code, that could be written in the normal editor version and then immediately put into action just by enabling the rich-editor.
I've looked for a possible solution everywhere, including HTML purifier's site; but it seems it is an issue related to TinyMCE (and the other editors); and the only way to avoid it is making a patch in TinyMCE.
Please any help with this one, as I want to stick with this editor while still having a safe website.
Comments
Comment #1
GuybrushSThreepwood commentedBTW, the only quick solution that comes to mind is to disable, "Rich-Editor disable/enable button" for Authenticated users while User Number 1 (that's me in this case) and other admins are able to switch between filtered HTML and Rich Editor.
Unfortunately now, if you disable this option, it is universally disabled for everyone, including the admins and user 1.
Comment #2
mupsi