Using HTML editors in Jomres

Jomres does support the use of some WYSWYG editors enabling property managers to "beautify" their property details but their use isn't encouraged.

The problem.

The reason for this that Jomres is designed to allow the site host to offer property listings to many users, and this carries a risk: No user, ever, should be trusted (this is from a php developer's viewpoint, I'm not saying that nobody can be trusted, just that you should never trust data input by a user without validating it).

Inserting HTML code is a risk because it increases the vulnerability to such problems as cross site scripting attacks and whilst we can try to code against it, it's is a never ending race between hackers and developers so it's safest to not include it at all. 

Whether by design or by accident, users will always enter data that may compromise the security of a server and it's the developer's task to minimise the risk as much as possible. To do that, we use input filtering to try to sanitise the inputted data as much as possible, but some Jomres site admins demand that certain data such as property details be allowed to be entered while containing HTML code.

The solution.

At the end of the day, you need to consider who's going to be entering data, particularly into the Property Admin -> Edit Property pages. If the only person entering that data is you, and you're unlikely to try to hack your own system, then you can use the HTML editors within Jomres safely. If, however you're opening your site up to other users then you should set the Site Configuration -> Misc -> Allow users to edit using html editors? option to No to ensure that users cannot enter html. You can also improve your security in this regards by ensuring that you're running PHP 5.2 or greater because Jomres then will use the filter_var functionality of PHP to remove invalid code.

A side benefit of this is that users will not be able to insert html code that messes up your lovingly and painstakingly constructed template.