There is no shortage of WYSIWYG editors, but there seems to be no easy way to have one and keep some semblance of protection against bypassing checks on the client side and including script and object tags.
My initial thought was to find a WYSIWYG editor that would display markdowns, and then store the formatted text in db format and the parsing on the display. This will protect me from storing potentially dangerous code in db, but it will also not allow me to whitelist all the possible tags that the editor will expose, as I need if it were HTML.
Did I miss some very easy way here? How do everyone else balance with a useful editor, but without opening themselves wide open to attack?
source share