@phil said:
@phil said:
The new composer looks nice. Very impressive work.
Just one quick question. Are you doing server side HTML sanitization or are you completely relying on Redactor to provide clean HTML? If so, where is the server side code that does the sanitization.
OK, I've answered my own question. No server side sanitization. It's very easy to inject javascript code into a post for XSS.
I would strongly recommend not deploying this to a production site until server side html sanitization is implemented. If any of the devs would like to know how I XSS'd my test site, let me know.
I've forked and am adding server side validation. Does redactor have a list of all the tags and attributes that pass it's validation? In order for server side validation to not mess things up, it needs to perform the same validation the client performs. It would be even more useful if the guys over at redactor made their client side validation code available in a separate library.