4 replies to this topic

[masterlayouts]

I would like to replace one of textarea form elements with a wysiwyg editor such as http://nicedit.com/ or http://aloha-editor.org/ so the users may format their posts (pretty much like in this forum). This probably means that the information will be stored in the database as HTML. My question is what is the best way to deal with this things from the security point of view. Should I use strip_tags() and specify what is allowed and probably slim down the editors to something reasonable like eliminating things like inline style for colors, divs for indenting the content? Or maybe it is a better solutions that I am not aware of it so I can safely implement such an editor without (major) changes dealing with html as a whole? Does such an implementation rise security concerns?

[Larry]

Yes, strip down the editor and then apply strip_tags(), stripping out all but a couple of necessary tags.

[masterlayouts]

$f = strip_tags($_POST['textareaField'], '<h1><h2><p><pre><ul><ol><li><div><font><span><strong><br>');
$r = htmlspecialchars($c);

Is this too much or it should work?

If it is not safe enough I am thinking of replacing each of these tags with a placeholder (like @@<h1>@@ for '<h1>' and so on...) than strip everything before store the string to database. Than when I want to display it I replace the placeholders with their respective tags.

I wouldn't like to do this if not necessary. What do you think?

[Larry]

Well, I don't understand what $r and $c are, but the use of strip_tags() looks fine. If you were to use placeholders, most people use [tag] and [/tag].

[masterlayouts]

sorry, the $c should have been $f. what i want to do is to apply htmlspecialchars after I applied strip_pos.