Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TinyMCE text input sanitazation #394

Open
Gilbertdelyon opened this issue Feb 14, 2025 · 3 comments
Open

TinyMCE text input sanitazation #394

Gilbertdelyon opened this issue Feb 14, 2025 · 3 comments
Labels
question

Comments

@Gilbertdelyon
Copy link

Gilbertdelyon commented Feb 14, 2025
edited
Loading

This is not an issue. Only a question.

  • HTML Custom Pages are using TinyMCE as text input editor.
  • Template Custom Pages are also using TinyMCE as Richtext elements text input editor.

As far as I see tinyMCE is configured in the same way in both cases.

  • HTML Custom Pages are not allowed in spaces, apparently for secutity reasons.
  • Template Custom pages with RichText elements are allowed in spaces (and there are a lot of such pages in our site)

And now the questions:

  • Is HTML text input less sanitized than RichText element text input? (This would explain why one is allowed in spaces and not the other.)
  • Can I allow Template pages with RichText elements in spaces without any risk?
@luke-
Copy link
Contributor

luke- commented Feb 14, 2025
edited
Loading

This is not an issue. Only a question.

  • HTML Custom Pages are using TinyMCE as text input editor.
  • Template Custom Pages are also using TinyMCE as Richtext elements text input editor.

As far as I see tinyMCE is configured in the same way in both cases.

  • HTML Custom Pages are not allowed in spaces, apparently for secutity reasons.
  • Template Custom pages with RichText elements are allowed in spaces (and there are a lot of such pages in our site)

And now the questions:

  • Is HTML text input less sanitized than RichText element text input? (This would explain why one is allowed in spaces and not the other.)

What do you mean with "HTML text input"? If you mean the HTML page type, yes, it's completely unpurified HTML.

  • Can I allow Template pages with RichText elements in spaces without any risk?

No, RichText (HTML) elements are very powerful. It may run through a HTML Purifier, but there is a risk here. To protect against XSS, I would use HumHub RichText.

@Gilbertdelyon
Copy link
Author

@luke-
Thank you for these clarifications.

What do you mean with "HTML text input"? If you mean the HTML page type.....

Yes this is what I mean.

No, RichText (HTML) elements are very powerful. It may run through a HTML Purifier, but there is a risk here

May I suggest some improvement for Richtext elements:

  • Either add a warning for newbees administrators like me that find convenient to add some Richtext elements in Template pages and allow them in spaces.
  • Or, purify Richtext in Elements more strictly than in HTML pages.
    Richtext allows more flexibility than the basic HumHub Richtext, but I guess 99,99% of the users will not need some <script> tags or other risky things in elements.

Only my 2 cents!

@luke-
Copy link
Contributor

luke- commented Feb 14, 2025

Good point. Feel free to create an issue about it.

@luke- luke- added the question label Feb 14, 2025
@Gilbertdelyon Gilbertdelyon mentioned this issue Feb 15, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@luke- @Gilbertdelyon