How-tos & Tutorials
What makes a secure text editor?
Published March 23rd, 2023
5 min read
When selecting a secure text editor for your product, one of the most significant considerations is security. After all, if you’re taking the security of your product seriously you cannot risk a data breach, or an injection attack because of an unsecure rich text editing component.
VP of Marketing at Tiny
When it comes to TinyMCE, there’s always been (and continues to be) significant R&D investment in TinyMCE security. As an organization, we’ve worked with some of the most experienced engineers in the world who focus on rich text editors.
But, do all rich text editors on the market share the same commitment?
What is a secure text editor?
This is a common question product managers and engineers often ask themselves. For a rich text editor, security can look significantly different than it does for other platforms.
A secure rich text editor enables users to create and edit text with various formatting options while ensuring the security of the content. It should be designed to prevent potential security risks such as insertion attacks or cross-site scripting vulnerabilities, and have features such as Content Security Policy, XSS security process, and CORS policies to keep the content safe.
The uniqueness of building (and maintaining) a secure text editor is that it deals with content that’s input and subsequently output to different places, in different ways. How do you keep this sort of content safe, and away from potentially dangerous insertion attacks? There are a few techniques used.
One way is the utilization of technologies such as DomParser, which focuses on cross-site scripting vulnerabilities. While using the DomParser helps, the main focus for a secure rich text editor is ensuring that your rich text editor isn’t ‘owning the content’. Instead, the content is passed through server-side filters which keep the content safe, secure, and away from security vulnerabilities.
However, with so many editors on the market, it can be difficult to know which ones take security seriously, and which leave it by the wayside.
What is an insertion attack?
An insertion attack can insert potentially dangerous content, packets, or information into content that is being sent from the editor, leaving your users open to vital security risks. It can also be called an injection attack.
Secure text editor considerations and features
When it comes to ensuring your rich text editor, and by extension your application, remains secure there are a few key considerations you should consider.
Does the editor have:
A dedicated Content Security Policy
A dedicated XXS security process
The ability to quickly, and easily, report any security bugs
While the above list should be considered table stakes for all editors, and should be ‘off the shelf’, unfortunately, it’s often unique to TinyMCE security, and isn’t evident in most other rich text editors on the market.
Technical considerations of security
The above information focuses purely on policies and processes. It therefore should only be used as a guide to help determine what editor takes security seriously, and which ones may be allowing the security of your application to be a secondary consideration in their development work.
It’s difficult in a single article to cover which rich text editor is the ‘most secure’ because it’s also impacted by the features you’re looking to include in the underlying structure of the editor itself. And this doesn’t even start to scratch the surface of how you look at your product’s security, how your engineers have structured it, and what you need your editing solution to achieve.
It’s important that your engineers continue to do their own research, to determine which rich text editor best fits your technical environment and to determine which is best for your application.
However, there are many editors on the market, which is why it’s important to clearly see amongst the most popular rich text editors, which ones take security the most seriously.
Popular WYSIWYG editor security
Putting security aside for a moment, it’s already difficult to compare the different rich text editors available – because it's not a straight apples to apples comparison. Why is it so hard? Because you’re often comparing rich text editors with an open source core, with fully commercial solutions, or editors that haven’t been updated in months (or years) by the open source community versus an editor that’s regularly being maintained by a thriving development team.
Below is a snapshot of some popular editors* on the market and the information that’s easily (and publicly) available, regarding their commitment to security.
|Public security advisories|
|Content Security Policy|
|Security bug reporting|
|XXS security documentation|
|Asymmetric JWT Signing|
*Popular WYSIWYG editor security comparison, as at March 2023
Is TinyMCE safe?
The simple answer is ‘Yes’. TinyMCE has a dedicated security counsel where you can actively engage with our security engineers and know when a vulnerability is spotted (no matter how rare), as well as a dedicated team of professional engineers ready to patch and fix any possible exposures, as soon as possible.
VP of Marketing at Tiny
VP of Marketing at Tiny. Elise has marketing experience across a range of industries and organisation sizes, and loves to blend the creative aspect of marketing together with data to develop engaging and effective marketing strategies and campaigns.