How do you make SummerNote text safe when submitted into the database?
Obviously, we want to allow Summernote to make a whole bunch of HTML decisions. But, we also want to strip out potentially harmful code.
What do you all do?
What database are you using with Summernote?
Sounds like, and I was glad you shared what you found!
I still think using tokens on everything is wise, even when it is an internal tool. We also will often use a service with a low cost or free tier that content moderates when it is a public form or comment area. https://sightengine.com/pricing is reliable and fast & if you have a lower-traffic site (under 500 content checks a day), it costs nothing.
I suppose combining/concantanating Summernote fields in layouts later could pose some risks if someone was reeeaaaly trying.
I don’t think it is a job for SummerNote to strip harmful code, it is something that you should do on the server-side. SummerNote does not generate harmful code, in most cases harmful code is being posted to your server by bypassing the form. You probably want to create a custom server action that will cleanup the html before inserting it in the database.
Yes, I agree.
I guess I was basically asking what functions/code do people use in Wappler (after summernote or in general I suppose) in their server actions before posting to the database?
1 Like