Jump to content
Larry Ullman's Book Forums
masterlayouts

How To Implement An Wysiwyg Editor And Safely Store Data In Db

Recommended Posts

I would like to replace one of textarea form elements with a wysiwyg editor such as http://nicedit.com/ or http://aloha-editor.org/ so the users may format their posts (pretty much like in this forum). This probably means that the information will be stored in the database as HTML. My question is what is the best way to deal with this things from the security point of view. Should I use strip_tags() and specify what is allowed and probably slim down the editors to something reasonable like eliminating things like inline style for colors, divs for indenting the content? Or maybe it is a better solutions that I am not aware of it so I can safely implement such an editor without (major) changes dealing with html as a whole? Does such an implementation rise security concerns?

Share this post


Link to post
Share on other sites

Yes, strip down the editor and then apply strip_tags(), stripping out all but a couple of necessary tags.

Share this post


Link to post
Share on other sites

$f = strip_tags($_POST['textareaField'], '<h1><h2><p><pre><ul><ol><li><div><font><span><strong><br>');

$r = htmlspecialchars($c);

 

Is this too much or it should work?

 

If it is not safe enough I am thinking of replacing each of these tags with a placeholder (like @@<h1>@@ for '<h1>' and so on...) than strip everything before store the string to database. Than when I want to display it I replace the placeholders with their respective tags.

 

I wouldn't like to do this if not necessary. What do you think?

Share this post


Link to post
Share on other sites

Well, I don't understand what $r and $c are, but the use of strip_tags() looks fine. If you were to use placeholders, most people use [tag] and [/tag].

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×