I have a great concern in deploying the TinyMCE editor on a website. Looking at the code parsed by the editor it does a great job, and I leave the HTML button off the toolbar configuration so users can not inject their own source.

However, from what I read in the TinyMCE docs, it claims to degrade nicely to a regular textarea should javascript be disabled on a users browser… and therein lies my concern. If it does revert to a normal textarea, then the user is then able to easily inject their own HTML, and this leaves me with a security concern.

I just pass through data created with TinyMCE, and it is used within another page created by my script, so it poses no security risk to my server. The security concern arises over what malicious data may be passed to another user viewing the generated page.

I know many of you will tell me to just use regexes, or parse this data, but that itself could be a nightmare, as I would be trying to either…

a.) Use regexes to try and clean up the HTML without breaking the generated page,
and it is better to parse the data for that anyway.

b.) Reparsing data that has already been parsed by the RTF editor, which also
would probably end up breaking the generated page.

Anyone with any previous experience with this type of scenario, I would really appreciate a ‘heads-up’ as to any other risks that using an RTF editor for user data could entail.
I would really like to provide this as a user option, but not if the risks outweigh giving the user using the RTF a chance to take a wack at another user viewing the page that is generated by the script.

My gut feeling is to steer a wide berth around use of the RTF at this point.

Thanks for any direction you can give me with your own experiences.