Rediscoverer

I’m currently doing an article submission application. Wanting to give the users more power over their articles, I’ve planned on using a WYSIWYG(What You See Is What You Get) text editor for the article submission form. Using that kind of editor, users can format their articles easily, even if they have little experience with html. I tried using “TinyMCE (TinyMCE Javascript Content Editor)”:http://tinymce.moxiecode.com/, an Open-Source WYSIWYG editor that runs using Javascript and I’m quite happy with the results. It provided some “MS Word”-like interface. It also has some mechanism that filters disallowed html tags like and other potentially dangerous tags that could make the application vulnerable to XSS(Cross-Site Scripting) attacks.

But what if javascript was disabled by the user? Expecting that the input would be processed by TinyMCE, the application won’t be doing some input checking. If javascript is disabled, TinyMCE won’t be able to do its job. The disallowed html code will be freely included and the application will be left open to attacks. PHP’s Built-in input filtering functions isn’t much of use here, since all they do is strip the tags or convert special characters like < and > into their equivalent entities and will no longer be recognized as mark-up. I wanted some PHP functioality that can do the filtering for me.

So I consulted sir Google and after searching some possible solutions, I found “HTML Purifier (Filter you HTML the standards-compliant way)”:http://hp.jpsband.org/ and gave it a test run. Yep, it worked. I tried it with TinyMCE on, and the html fomartting was still intact after purification. Now I tried it with TinyMCE on, but then disabled javascript and inserted some not-so-malicious code and the purifier caught it. Nice! If I have time, I’ll test it further. I just need to make the application fully functional before doing detailed testing and debugging.