Summernote safety

Asked 27/12, 2016 at 10:58 Answered 21/7, 2017 at 7:46

I want to use Summernote WYSIWYG editor on my website that I am making with Laravel 5.2, however, here is one problem: when I submit my form, I get all my code in HTML. Because of that, I can't escape my HTML, because all style will not work, but if I don't escape HTML, my website will be vulnerable to XSS. What should I do?

Thanks for your help.

Kurtz answered 27/12, 2016 at 10:58 Comment(0)

I am really sorry because the solution that solved my problem is sooooooo late, but I saw that 4 people were interested in this question, so I decided to post it.

Even if first I didn't notice, later I found out that the best thing to use in this situation is a HTML purifier for Laravel 5 (for example this one) because it cleans all unsafe html, so result should be safe even if user can post with html. That makes summernote pretty safe to use. I do not really know, if htmlpurifier still has any security issues, but all my tests were filtered as needed, so I think it should be secure enough.

Hope it helps someone. Sorry again, forgot about this question after I found a solution...

Kurtz answered 21/7, 2017 at 7:46 Comment(0)

Have you tried using

HTML::decode($someString)

Ronna answered 5/1, 2017 at 5:6 Comment(1)

Then I make my website vulnerable – Kurtz 21/7, 2017 at 7:30

Recommended topics

Hot tags