Stopping bad HTML

  • drkknight32

    (@drkknight32)


    11 years ago

    I’m working on creating a user generated content site, but I’m running into problems with possible security holes regarding the editor.

    I’d like users to be able to add their own articles, but right now the editor will allow them to add code that would effectively break the site.

    If they wanted to, they could for example type:

    </div></div></div>

    into the HTML editor and mess quite a bit up. Does anyone know of a way to help close this security issue? Perhaps there’s a plugin with a different editor that might work? Thanks in advance!

Viewing 4 replies - 1 through 4 (of 4 total)
  • kjodle

    (@kjodle)

    11 years ago

    Try using the User Role Editor plugin and disallowing “unfiltered HTML”.

    Not tested; ymmv.

    Thread Starter drkknight32

    (@drkknight32)

    11 years ago

    Hmm…I think this might help with another problem I have, but not this one.

    I think what I’ll end up doing is disabling the HTML editor completely. The visual editor is able to properly escape any malicious code it looks like, and I don’t think a typical user will really need HTML anyways. Just have to figure out how to do that now…

    Thanks

    kjodle

    (@kjodle)

    11 years ago

    Are you using a child theme? If so, add this to your child theme’s functions.php file:

    add_action('admin_head', 'hide_htmleditor');
function hide_htmleditor() {
?>
	<style>
		#content-html, #content-tmce { display:none; }
	</style>
<?php
}

    Not pretty, but it works.

    Thread Starter drkknight32

    (@drkknight32)

    11 years ago

    Sorry it took me so long to get back to you.

    If this is just a CSS style, wouldn’t the user be able to change the CSS attributes on the page with something like Chrome and put the HTML editor back into the view? Maybe I’m giving Chrome too much credit.

    Maybe there’s another way to make sure that the visual+HTML editor is secure?

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Stopping bad HTML’ is closed to new replies.