I have a textarea setup with CKEditor (a WYSIWIG) in which the user is

Question

0

Asked: June 4, 20262026-06-04T20:53:43+00:00 2026-06-04T20:53:43+00:00

I have a textarea setup with CKEditor (a WYSIWIG) in which the user is

0

I have a textarea setup with CKEditor (a WYSIWIG) in which the user is allowed to enter information with a few markup options. However I need to stop potential hackers exploiting this feature and entering malicious code.

I can strip out the tags I don’t want using PHPs strip_tags() using an array of allowed tags: http://php.net/manual/en/function.strip-tags.php

However the possibility still remains that an attacker could simply add onload or onclick etc to any HTML tag that is on the allowed list.

So what would be my best option to check for this type of issue?

My initial thought is to create a blacklist array of these JavaScript functions and then see if any of them occur within the entered data.

Does that sound like a good way to do it or are there better alternatives?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-04T20:53:44+00:00

Editorial Team

2026-06-04T20:53:44+00:00Added an answer on June 4, 2026 at 8:53 pm

Use more robust tool like http://htmlpurifier.org/

It allows you sanitize input, add allowed attributes, tags. You will have more control.

I highly recommend you create whitelist, instead of blacklist. With blacklist you may skip some dangerous attributes, while with whitelist you allow what you want.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I have a textarea setup with CKEditor (a WYSIWIG) in which the user is

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply