Reputation: 199
Handling a HTML WYSIWYG Editor
I've constructed a simple, light-weight WYSIWYG HTML editor with the use of contentEditable="true", inserting HTML tags via javascript.
It all works great, except I don't know the best way to submit, validate, and insert the input into the database. I'm concerned that someone might insert their own tags and mess up the output.
My best idea so far is to convert all valid tags into BBCode with PHP just before inserting the input into the batabase, and then clear all the other tags. Is this conventional?
Thank you!
Upvotes: 2
Views: 1085
Answers (2)
Reputation: 128791
You'd probably want to run it through something like HTML Purifier to ensure you strip out any malicious code.
I'm not sure if HTML Purifier already does it, but you would also want to use htmlentities or htmlspecialchars to strip out any database attack-related code before storing the data.
Upvotes: 1
Reputation: 3497
Yes it is. Another approach would be to convert your tags already in your WYSIWYG editor. Either way does not help you around "never trust user input data" so you have to validate that code anyway. You have to assume that it can be corrupted.
Upvotes: 1
Related Questions
- Adding HTML Markup to a WYSIWYG Editor
- Make wysiwyg editor in html
- Magento wysiwyg editor in phtml file
- Wysiwyg editor with php/html support (without breaking the code)
- User friendly WYSIWYG editor for Magento
- basic idea to implement a WYSIWYG editor
- How to work with wysiwyg generated code?
- How to make a WYSIWYG editor in PHP