Option to turn off all JS put into editor

[duguying]

#EpicEditor
This is some default content. Go ahead, _change me_.
<img src="./" onerror="alert('hack')">

[OscarGodson]

EpicEditor has never stripped this stuff because some people want to use JS in there. For example, they want to make something like JSBin with EpicEditor. Maybe turning off all embedded JS should be an option tho?

[duguying]

yes, i think maybe an option should be there to

turning off all embedded JS

[OscarGodson]

Reopening so someone can make this an option. Going to update the title a bit tho

[duguying]

ok, thanks

[massar]

One would effectively need something like https://github.com/microcosm-cc/bluemonday for this but then in Javascript to do it properly.

Seems somebody did a cross compile: https://github.com/mdp/bluemonday-js/
though that is NMP and quite heavy....

If the user or a tool does add text that includes javascript you have lost already: the user can do it anyway, no way to stop it and a tool that already can insert javascript already owns the browser.