draft-js
draft-js copied to clipboard
Need an example that shows how to *safely* display rich text created by draftjs
If we use draftjs to create rich text, we also need to display it somewhere. But the problem is how do we ensure that the data entered by the user and sent to the server via Draft.js is actually safe from XSS? I'd love to see an example that shows how Facebook ensure this.
fixed typo in the title
Hi, I suppose you can something like this http://htmlpurifier.org on server side.
Save the ContentState to your server, it's just a JSON object and (unless you parse it in an unsafe way) it doesn't pose an XSS risk. You can use something like redraft to render on the server, or one of the renders on awesome-draft-js which are available in many languages.
you can use something like CSP to resolve he problem.
I have the same question. it is safe to save the draft-js objects on the server side without validation?