I've got a form with Tinymce editor so any user can format it's text to look good.
If he writes any malicious script in the form, it is automatically escaped. But if the user cheats and posts the form using something like Postman, he can submit unescaped scripts (like iframes).
How do I validate the Tinymce input? If I use the validator plugin with the "escape" function, it removes all formatting. I tried to use some Google Caja plugins for node to sanitize the input but it's not removing any malicious code, like iframes. Any help?
I've found a pretty good Node.js module to sanitize html input.
It's called Sanitize-html and it does exactly what I want, removes dangerous html tags from the input string and you can add/remove specific tags