Comp527 Final Project Proposal: Rich Text Editor Research
Group: Jun Zheng (jz33) Chao Zhang (cz15)
Category: Thing to go others
Date: Oct 05 2013
Introduction
Rich text, also known as formatted text, as opposed to plain text, has styling information beyond the minimum of semantic elements: colours, styles (boldface, italic), sizes, and special features (such as hyperlinks)[1]. A general rich text editor providing an interface to edit rich text which presents a “What You See is What You Get” (WYSIWYG)[2] tenet, can save the programmer from trivial HTML/CSS tags, attributes, values debugs. Several major browser manufactures provide free rich text editor
service, i.e., Google Forms[3], but not in open source regime. Moreover, several simple open source rich text editors lack of precaution to potential HTML riskes and maliciousness. Then our group’s work is to reseach on existed open source projects of rich text editor, analyze specifically on their possible security issues and try make improvement.
Strategy
First we will research on forms of potential HTML/CSS attacks and harms. Currenct topics are:
1. Invalid, unknown or deprecated(at HTML5) tags;
2. Inline styles;
3. Sandbox;
4. CSS risks
More paper research and thinking is needed at this step.
Second, we shall look into previous contributors and their commits in rich text editors. Currently we will look into source codes from GitHub, a social coding host site for open source programming languages like Javascript, Python, PHP, etc. Our starting source code is on projects “xing/wysihtml5″[4] and “mindmup/bootstrap-wysiwyg”[5]. But later we might move to other projectes. We will make comments on each projects about protection mechanism and potential risks. We might generate limited malicious codes to test tolerance and durability of each projects
Third, we will combine previous inspirations to create our own rich text editor, with functions like converting input to html view and vice versa. Hopefully, our editor will also be capable to convert a risky html file into a safety htm file based on our judge.
References & Links:
[1] http://en.wikipedia.org/wiki/Formatted_text
[2] http://en.wikipedia.org/wiki/WYSIWYG
[3] https://chrome.google.com/webstore/detail/google-forms/jhknlonaankphkkbnmjdlpehkinifeeg
[4] https://github.com/xing/wysihtml5
[5] https://github.com/mindmup/bootstrap-wysiwyg