Support ⇒ CPG-BB (forum) ⇒ Why not WYSIWYG? ⇒ Community Forums ⇒ CPG Dragonfly™ CMS
Forum Index Modules & Blocks CPG-BB (forum)

Why not WYSIWYG? Reply to topic


Probably a stupid question but why are WYSIWYG editors not used in the forums and for submitting articles? Just thinking of FCKeditor or TinyMCE?

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):


This is why:
<div onclick="alert('EVIL')"> <a href="javascript:alert('EVIL')">click</a> <img onload="alert('EVIL')"/> </div>

New template system (Poodle TAL) in v10 strips all on* attributes but has new security issues like:
<div tal:repeat="row php:here.SQL.query('SELECT * FROM cms_admins')"> <div tal:content="php:print_r(${row})"></div> </div> <div tal:content="php:here.IDENTITY.updateAuth('password')">
I am in the process to prevent the usage of TAL in front-end posted HTML.
But, as you can see all options have security issues.

Key is: NEVER TRUST THE USER!

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial

All times are UTC


Jump to: