AFAIK, TinyMCE is supposed to be self-sufficient XSS-wise, as its editor prevents anything that

Question

0

Editorial Team

Asked: May 24, 20262026-05-24T21:44:56+00:00 2026-05-24T21:44:56+00:00

AFAIK, TinyMCE is supposed to be self-sufficient XSS-wise, as its editor prevents anything that

0

AFAIK, TinyMCE is supposed to be self-sufficient XSS-wise, as its editor prevents anything that could be used for XSS.

However, all this is done client-side, and security depends entirely on the POST headers being clean thanks to TinyMCE.

What’s stopping an attacker from making a custom HTTP request with tags in the POST HTTP headers?

Does everybody who uses TinyMCE also have extensive anti-XSS libraries on the server side to make sure this doesn’t happen? Is there a way to make sure the input did indeed come from TinyMCE and not from custom POST headers?

Needless to say, just escaping everything with the likes of htmlspecialchars() isn’t an option, as the entire point of TinyMCE is to let users input HTML formatted content.

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-24T21:44:57+00:00

Editorial Team

2026-05-24T21:44:57+00:00Added an answer on May 24, 2026 at 9:44 pm

You can’t trust what’s coming from the client side. An attacker could even modify TinyMCE to disable whatever you have added.

On the serverside you could use something like OWASP AntiSamy or HTMLPurifier, which allows you to specify which tags you allow (whitelisting tags and attributes).

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

AFAIK, TinyMCE is supposed to be self-sufficient XSS-wise, as its editor prevents anything that

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply