Jump to content
Larry Ullman's Book Forums

How To Implement An Wysiwyg Editor And Safely Store Data In Db


Recommended Posts

I would like to replace one of textarea form elements with a wysiwyg editor such as http://nicedit.com/ or http://aloha-editor.org/ so the users may format their posts (pretty much like in this forum). This probably means that the information will be stored in the database as HTML. My question is what is the best way to deal with this things from the security point of view. Should I use strip_tags() and specify what is allowed and probably slim down the editors to something reasonable like eliminating things like inline style for colors, divs for indenting the content? Or maybe it is a better solutions that I am not aware of it so I can safely implement such an editor without (major) changes dealing with html as a whole? Does such an implementation rise security concerns?

Link to comment
Share on other sites

$f = strip_tags($_POST['textareaField'], '<h1><h2><p><pre><ul><ol><li><div><font><span><strong><br>');

$r = htmlspecialchars($c);

 

Is this too much or it should work?

 

If it is not safe enough I am thinking of replacing each of these tags with a placeholder (like @@<h1>@@ for '<h1>' and so on...) than strip everything before store the string to database. Than when I want to display it I replace the placeholders with their respective tags.

 

I wouldn't like to do this if not necessary. What do you think?

Link to comment
Share on other sites

 Share

×
×
  • Create New...