Security Documentation: Example serverside sanitization configurations

[antsstyle]

📝 Provide a description of the new feature or improvement

In the TinyMCE documentation here, it is pointed out that server-side filtering of input users submit through TinyMCE should take place. There is not, however, any detail about how this should be done, and issues that users would commonly face when putting input through libraries designed to perform this function.

🫶 What is the motivation?

Making the documentation more clear, and ensuring TinyMCE is used in a more secure fashion. WYSIWYG content is difficult to parse without breaking, making it awkward to sanitise server-side without careful configuration.

For instance, I've been experimenting with doing this via the HTMLPurifier library for PHP; with the default configuration, emoticon image sizes are stripped out by HTMLPurifier making them render in full size, requiring extra configuration steps and understanding to prevent it breaking content. I have not tested other TinyMCE functions yet, but would imagine it breaks a fair few of them.

🔗 What is the consequence of not having this feature?

Not having some decent examples of how to use TinyMCE in conjunction with serverside filtering makes it less likely developers will actually perform serverside sanitisation, and will rely on the TinyMCE editor sanitising content client-side before displaying it.

🚦 How important would you rate the requested feature or improvement?

Important.

---

If you'd like to see this implemented sooner, add a 👍 reaction to this post.