Jump to content



Photo

How To Implement An Wysiwyg Editor And Safely Store Data In Db


  • Please log in to reply
4 replies to this topic

#1 masterlayouts

masterlayouts

    Advanced Member

  • Members
  • PipPipPip
  • 64 posts

Posted 27 March 2012 - 10:59 PM

I would like to replace one of textarea form elements with a wysiwyg editor such as http://nicedit.com/ or http://aloha-editor.org/ so the users may format their posts (pretty much like in this forum). This probably means that the information will be stored in the database as HTML. My question is what is the best way to deal with this things from the security point of view. Should I use strip_tags() and specify what is allowed and probably slim down the editors to something reasonable like eliminating things like inline style for colors, divs for indenting the content? Or maybe it is a better solutions that I am not aware of it so I can safely implement such an editor without (major) changes dealing with html as a whole? Does such an implementation rise security concerns?
  • 0

#2 Larry

Larry

    Administrator/Writer

  • Administrators
  • 3,721 posts
  • LocationState College, PA (USA)

Posted 28 March 2012 - 7:09 AM

Yes, strip down the editor and then apply strip_tags(), stripping out all but a couple of necessary tags.
  • 0

#3 masterlayouts

masterlayouts

    Advanced Member

  • Members
  • PipPipPip
  • 64 posts

Posted 29 March 2012 - 4:43 AM

$f = strip_tags($_POST['textareaField'], '<h1><h2><p><pre><ul><ol><li><div><font><span><strong><br>');
$r = htmlspecialchars($c);

Is this too much or it should work?

If it is not safe enough I am thinking of replacing each of these tags with a placeholder (like @@<h1>@@ for '<h1>' and so on...) than strip everything before store the string to database. Than when I want to display it I replace the placeholders with their respective tags.

I wouldn't like to do this if not necessary. What do you think?
  • 0

#4 Larry

Larry

    Administrator/Writer

  • Administrators
  • 3,721 posts
  • LocationState College, PA (USA)

Posted 30 March 2012 - 3:58 PM

Well, I don't understand what $r and $c are, but the use of strip_tags() looks fine. If you were to use placeholders, most people use [tag] and [/tag].
  • 0

#5 masterlayouts

masterlayouts

    Advanced Member

  • Members
  • PipPipPip
  • 64 posts

Posted 2 April 2012 - 8:53 AM

sorry, the $c should have been $f. what i want to do is to apply htmlspecialchars after I applied strip_pos.
  • 0