Reputation: 1125
How to properly escape HTML editor content corretly?
So I am using TinyMCE editor and have handled getting the content in the text area by using htmlspecialchars() which works fine, but I'm a little confused on the other side of using an WYSIWYG editor... The content output part.
I am using HTML Purifier to output the content, but from what I understand I've just been doing for example:
$purifierConfig = HTMLPurifier_Config::createDefault();
$purifierConfig->set('HTML.Allowed', 'p');
$Purifier = new HTMLPurifier($purifierConfig);
$input = $Purifier->purify($input);
I've only tested with the p tags, but does this mean I am going to have to go through everything TinyMCE uses and add it in as what is allowed? Or is there a better way of tackling this problem with safe output of an WYSIWYG editor?
Upvotes: 0
Views: 684
Answers (1)
Reputation: 7575
Yes, you need to set all allowed tags you want, separated by a comma. You can also specify what attributes are allowed by enclosing them with brackets:
$purifierConfig = HTMLPurifier_Config::createDefault();
$purifierConfig->set('HTML.Allowed', 'p,a[href],b,i,strong,em');
$Purifier = new HTMLPurifier($purifierConfig);
$input = $Purifier->purify($input);
I guess for a better understanding, the printDefinition can help.
Upvotes: 1
Related Questions
- htmlpurifier - How to escape self closing tags?
- HTML Purifier - Escape disallowed tags instead of stripping
- Use WYSIWYG Editor with PHP escape Method
- how to protect from XSS in WYSIWYG
- CKEditor escape html
- Sanitize everything to text with htmlpurifier
- CKEditor is escaping html elements
- Securing a wysiwyg editor - is HTMLPurifier really the only way to go?
- htmlpurifier removes all the formatting done by CKEDitor
- avoid html escape character in php