О проекте Blamer
We are taking Redactor’s security very seriously (sometimes even too seriously though). It is a tricky task now for those who want to inject malicious code using Redactor’s window. However, JavaScript and its environment does not allow us to cover you against 100% of attacks. That’s we strongly recommend you to perform a server-side clean-up of a code that you receive from Redactor.
You can perform such clean-up using any server-side programming language. Here’re some basic examples on PHP.
First off, send text from Redactor via POST, using form or with AJAX. Also, check if the form contents came from your site. You can do it by checking REFERER like this: