Summernote Security

How do you make SummerNote text safe when submitted into the database?

Obviously, we want to allow Summernote to make a whole bunch of HTML decisions. But, we also want to strip out potentially harmful code.

What do you all do?

What database are you using with Summernote?

Basically, MySql

This may have been answered in Security - Wappler Did it?

Sounds like, and I was glad you shared what you found!

I still think using tokens on everything is wise, even when it is an internal tool. We also will often use a service with a low cost or free tier that content moderates when it is a public form or comment area. is reliable and fast & if you have a lower-traffic site (under 500 content checks a day), it costs nothing.

I suppose combining/concantanating Summernote fields in layouts later could pose some risks if someone was reeeaaaly trying.

I don’t think it is a job for SummerNote to strip harmful code, it is something that you should do on the server-side. SummerNote does not generate harmful code, in most cases harmful code is being posted to your server by bypassing the form. You probably want to create a custom server action that will cleanup the html before inserting it in the database.

Yes, I agree.

I guess I was basically asking what functions/code do people use in Wappler (after summernote or in general I suppose) in their server actions before posting to the database?

1 Like