A statement on security.

Contribute to this page

Q: Is TinyMCE protected against XSS vulnerabilities?

Protection against XSS attacks needs to be done on the server since if you can submit contents in a form using TinyMCE one could as easily disable all JavaScript and there for bypass TinyMCE filtering and still submit HTML code with insecure content. You need to properly filter the HTML input on the server using things like HTMLPurifier etc.

This article is a work in progress. Please improve it by contributing.

Can't find what you're looking for? Let us know.

Except as otherwise noted, the content of this page is licensed under the Creative Commons BY-NC-SA 3.0 License, and code samples are licensed under the Apache 2.0 License.