Comments on: WYSIWYG is the best Symfony friend http://www.symfonylab.com/wysiwyg-is-the-best-symfony-friend/ Everything you wanted to know about Symfony framework but did not know who to ask! Wed, 14 Dec 2011 12:09:25 -0700 http://wordpress.org/?v=2.9.2 hourly 1 By: Using CKeditor as AJAX | SymfonyLab http://www.symfonylab.com/wysiwyg-is-the-best-symfony-friend/comment-page-1/#comment-1025 Using CKeditor as AJAX | SymfonyLab Sun, 06 Feb 2011 13:03:08 +0000 http://www.symfonylab.com/?p=105#comment-1025 [...] wrote about WYSIWYG editors in Symfony a long time ago. Now we would like to mention about using CKEditor with symfony and [...] [...] wrote about WYSIWYG editors in Symfony a long time ago. Now we would like to mention about using CKEditor with symfony and [...]

]]> By: Jacques Philip http://www.symfonylab.com/wysiwyg-is-the-best-symfony-friend/comment-page-1/#comment-475 Jacques Philip Fri, 12 Dec 2008 18:15:04 +0000 http://www.symfonylab.com/?p=105#comment-475 The problem other than security that I found with editors based on HTML is that when used by people who know nothing or little about HTML, these people can enter malformed HTML or click on buttons multiple times and that may not render at all what they expect or worst, affects the whole document. Then, they call you to fix their mess, which is sometimes not fun at all. This is why I went to markdown. The problem other than security that I found with editors based on HTML is that when used by people who know nothing or little about HTML, these people can enter malformed HTML or click on buttons multiple times and that may not render at all what they expect or worst, affects the whole document.
Then, they call you to fix their mess, which is sometimes not fun at all.

This is why I went to markdown.

]]> By: Jacques Philip http://www.symfonylab.com/wysiwyg-is-the-best-symfony-friend/comment-page-1/#comment-474 Jacques Philip Fri, 12 Dec 2008 04:05:57 +0000 http://www.symfonylab.com/?p=105#comment-474 I am the author of sfWmdPlugin and I use the plugin with a Sanitizable Doctrine behavior that attaches a listener to each model that it acts on. The listener strips all HTML tags from the string fields before any save or update query on those models. The result is that only the markdown text is saved to the DB for security. The problem is that markdown is not very rich for display, so when I know a field is only used by trusted users, I can set an Ignore option so that HTML can be saved with markdown. Since HTML can be embedded in markdown, this makes for nicer pages written by admins. I am the author of sfWmdPlugin and I use the plugin with a Sanitizable Doctrine behavior that attaches a listener to each model that it acts on.
The listener strips all HTML tags from the string fields before any save or update query on those models.
The result is that only the markdown text is saved to the DB for security.
The problem is that markdown is not very rich for display, so when I know a field is only used by trusted users, I can set an Ignore option so that HTML can be saved with markdown.
Since HTML can be embedded in markdown, this makes for nicer pages written by admins.

]]> By: Cool http://www.symfonylab.com/wysiwyg-is-the-best-symfony-friend/comment-page-1/#comment-473 Cool Fri, 12 Dec 2008 00:32:24 +0000 http://www.symfonylab.com/?p=105#comment-473 I were in love with FCKEditor over TinyMCE. However, when it comes to ajax, FCKEditor became a pain in the neck which cause me lots of struggles. TinyMCE is now my flavor. I were in love with FCKEditor over TinyMCE. However, when it comes to ajax, FCKEditor became a pain in the neck which cause me lots of struggles. TinyMCE is now my flavor.

]]> By: Stefan http://www.symfonylab.com/wysiwyg-is-the-best-symfony-friend/comment-page-1/#comment-472 Stefan Thu, 11 Dec 2008 21:54:21 +0000 http://www.symfonylab.com/?p=105#comment-472 My main problem with offering such plugins to users is security. How do you secure your HTML from XSS and other security risks? Does sfValidatorHtmlPlugin also do security checks or does it just do validity checks. The information in their README is not clear enough to know. the Markup one seems the most secure to me, as you can always control how the markup is generated so the actual HTML is yours, not the user's. My main problem with offering such plugins to users is security. How do you secure your HTML from XSS and other security risks?

Does sfValidatorHtmlPlugin also do security checks or does it just do validity checks. The information in their README is not clear enough to know.

the Markup one seems the most secure to me, as you can always control how the markup is generated so the actual HTML is yours, not the user’s.

]]>