You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@struts.apache.org by Simone Camillo Buzzi <si...@gmail.com> on 2013/06/26 09:06:32 UTC

Secure data coming from a WYSIWYG editor

Hi,
how can I secure data coming from a WYSIWYG editor?
I want to allow user to change properties of the text but not to link
images or add scripts to his post.
I'll use this feature to allow user to add comment or compile complex pages.
I'm not worried about data coming from the editor but data that a malicious
user can send me from a modified page
Does Struts 2 has any interceptor that implements this kind of feature?
Does anyone has experience on this task?

Simone Buzzi

Re: Secure data coming from a WYSIWYG editor

Posted by Simone Camillo Buzzi <si...@gmail.com>.

Thank for your help, it's was I was searching for

Kind regards
Simone Buzzi


2013/6/26 Maurizio Cucchiara <mc...@apache.org>

> Out of there, there are a lot of WYSWYG editors (like CKEditor) which allow
> to define the list of the supported tags.
>
> For what concerns the server side aspect, I'd suggest you JSOUP. It allows
> to clean the HTML submitted by the user [1].
>
> Also, have a look at hdiv [2], IIRC there is a plugin for struts2 which
> should protect against XSS and other security issues.
>
> [1] http://jsoup.org/cookbook/cleaning-html/whitelist-sanitizer
> [2] http://hdiv.org/
> On 26 June 2013 09:06, Simone Camillo Buzzi <si...@gmail.com> wrote:
>
> > I'll use this feature to allow user to add comment or compile complex
> > pages.
> > I'm not worried about data coming from the editor but data that a
> malicious
> > user can send me from a modified page
> > Does Struts 2 has any interceptor that implements this kind of feature?
> > Does anyone has experience on this t
> >
>
>
>
> Twitter     :http://www.twitter.com/m_cucchiara
> G+          :https://plus.google.com/107903711540963855921
> Linkedin    :http://www.linkedin.com/in/mauriziocucchiara
> VisualizeMe: http://vizualize.me/maurizio.cucchiara?r=maurizio.cucchiara
>
> Maurizio Cucchiara
>

Re: Secure data coming from a WYSIWYG editor

Posted by Maurizio Cucchiara <mc...@apache.org>.

Out of there, there are a lot of WYSWYG editors (like CKEditor) which allow
to define the list of the supported tags.

For what concerns the server side aspect, I'd suggest you JSOUP. It allows
to clean the HTML submitted by the user [1].

Also, have a look at hdiv [2], IIRC there is a plugin for struts2 which
should protect against XSS and other security issues.

[1] http://jsoup.org/cookbook/cleaning-html/whitelist-sanitizer
[2] http://hdiv.org/
On 26 June 2013 09:06, Simone Camillo Buzzi <si...@gmail.com> wrote:

> I'll use this feature to allow user to add comment or compile complex
> pages.
> I'm not worried about data coming from the editor but data that a malicious
> user can send me from a modified page
> Does Struts 2 has any interceptor that implements this kind of feature?
> Does anyone has experience on this t
>

Twitter     :http://www.twitter.com/m_cucchiara
G+          :https://plus.google.com/107903711540963855921
Linkedin    :http://www.linkedin.com/in/mauriziocucchiara
VisualizeMe: http://vizualize.me/maurizio.cucchiara?r=maurizio.cucchiara

Maurizio Cucchiara