Sanitize input from codeMirror edit field

  • Resolved velingrad

    (@velingrad)


    8 months ago

    I’m planning to allow loggedin users in the admin area to edit a section of a template ( html / css code and some <% %> tags ) that’s used to display data from my plugin. I found that codeMirror ships with WordPress, so that’s what I plan to use.

    Since users will be editing the template code ( which will be saved in the database ) I wonder how / if I should deal with the possible <script> tags etc that they may add. sanitize_text_field / strip_tags are useless, since the template does contain tags, but there’s no need for <link>, <iframe>, <script> etc.

    I noticed strip_tags allows you to provide a list of allowed tags, which would be one way to deal with it. But one plugin that I found that also uses codeMirror doesn’t bother to sanitize anything, I tried to make it trigger an alert() on the frontpage, and this worked. They probably feel that since we are only dealing with authenticated users in the admin area, it’s their own responsibility what the include in the template code.

    I kind of split on what the best way to deal with this. Either provide a list of allowed tags ( very much leaning towards this ), or because they are authenticated users allow them to do whatever they want?

    Any ideas / suggestions?

    • This topic was modified 8 months ago by velingrad.
    • This topic was modified 8 months ago by velingrad.
Viewing 2 replies - 1 through 2 (of 2 total)
  • Moderator bcworkz

    (@bcworkz)

    because they are authenticated users allow them to do whatever they want?

    I imagine all the security experts reading your topic cringed at that ??
    The concept of only granting enough privilege to accomplish what they need to accomplish always applies. If users don’t need script tags, they should not be allowed to use them. Unrestricted scripts can do nasty things!

    If script tags are the only restriction, maybe simply use preg_replace() to remove any script blocks in their entirety?

    FWIW, wp_kses() is the formal WP way to manage what is allowed or disallowed in HTML, but it can be a lot of extra fuss if you’re only after script tags.

    Thread Starter velingrad

    (@velingrad)

    Thanks for clarifying it ??

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Sanitize input from codeMirror edit field’ is closed to new replies.