I want to get sanitized data from CKEditor when I use CKEDITOR.instances['textareaId'].getData(); function.
I have noticed CKEditor internally sanitized the input provided in the 'Source' part.
Example
<p onclick="alert('document.cookie')">Some Text</p> it gets converted to <p>Some Text</p>. CKEDITOR.instances['textareaId'].getData(); it returns <p onclick="alert('document.cookie')">Some Text</p>. Is there any way where CKEditor sanitize the data when getData() function is called?
From CKEditor point of view don't disable Advanced Content Filter (ACF) - don't use config.allowedContent = true;. That way unwanted HTML attribute will be removed.
Please note however that JavaScript, no matter how good, can always be disabled so ACF by no means can be treated as a security filter. If you wish to sanitize your HTML, please use server-side library for that and not JavaScript. Sanitizing user input with your server-side application code is the only correct way to do it.