masterlayouts Posted March 28, 2012 Share Posted March 28, 2012 I would like to replace one of textarea form elements with a wysiwyg editor such as http://nicedit.com/ or http://aloha-editor.org/ so the users may format their posts (pretty much like in this forum). This probably means that the information will be stored in the database as HTML. My question is what is the best way to deal with this things from the security point of view. Should I use strip_tags() and specify what is allowed and probably slim down the editors to something reasonable like eliminating things like inline style for colors, divs for indenting the content? Or maybe it is a better solutions that I am not aware of it so I can safely implement such an editor without (major) changes dealing with html as a whole? Does such an implementation rise security concerns? Link to comment Share on other sites More sharing options...
Larry Posted March 28, 2012 Share Posted March 28, 2012 Yes, strip down the editor and then apply strip_tags(), stripping out all but a couple of necessary tags. Link to comment Share on other sites More sharing options...
masterlayouts Posted March 29, 2012 Author Share Posted March 29, 2012 $f = strip_tags($_POST['textareaField'], '<h1><h2><p><pre><ul><ol><li><div><font><span><strong><br>'); $r = htmlspecialchars($c); Is this too much or it should work? If it is not safe enough I am thinking of replacing each of these tags with a placeholder (like @@<h1>@@ for '<h1>' and so on...) than strip everything before store the string to database. Than when I want to display it I replace the placeholders with their respective tags. I wouldn't like to do this if not necessary. What do you think? Link to comment Share on other sites More sharing options...
Larry Posted March 30, 2012 Share Posted March 30, 2012 Well, I don't understand what $r and $c are, but the use of strip_tags() looks fine. If you were to use placeholders, most people use [tag] and [/tag]. Link to comment Share on other sites More sharing options...
masterlayouts Posted April 2, 2012 Author Share Posted April 2, 2012 sorry, the $c should have been $f. what i want to do is to apply htmlspecialchars after I applied strip_pos. Link to comment Share on other sites More sharing options...
Recommended Posts