开发者

handling WYSIWYG data in PHP

开发者 https://www.devze.com 2023-03-24 18:21 出处:网络
I need to use a wysiwyg editor for handling user input. How do you process this in php? If I retrieve the data and use htmlspecialchars then all the characters that were converted to special character

I need to use a wysiwyg editor for handling user input.

How do you process this in php?

If I retrieve the data and use htmlspecialchars then all the characters that were converted to special characters by the wysiwyg editor will be messed up.

For example quote will be &quote;

When I use htmlspecialchars in php the & will be converted t开发者_如何学Co &

It will be an obvious problem. Any ideas?


Have you considered keeping a plain-text and an additional HTML record of whatever is being modified? You can display the plaintext and when you save it you could convert it to html also and save that in a seperate field?

If special chars are being converted to HTML though, wouldn't they still appear properly (to the user) when you are printing text out to editable form fields in html?

Let me know if I've misunderstood


Most editors (CKEditor, CLEditor and NicEdit to mention a few) supports two modes of input: Visual and direct input (usually called HTML mode).

When the user is entering text in visual mode, the editor takes care of converting html-like characters to the respective HTML entity while the user is typing his/her content. In this mode, the editor will typically add markup for the user (mostly paragraphs).

Direct input works like you'd expect from the name; The user is exposed to the HTML his or her content is made up of.

How you should handle the input data depends mostly on the users role.

If the user is trusted (i.e. an administrator for a company website), the user should be able to use both input modes.

If the user is untrusted (an anonymous user posting a comment on a blog post), the user should not be able to input (potentially malicious, think XSS) markup.

If your users needs some options for formatting their content, you should probably look into using another type of markup, e.g BBCode. This prevents the user from injecting any <script> tags into the content that might be shown to other users.

You will still need to strip any HTML tags from the user content though.

0

精彩评论

暂无评论...
验证码 换一张
取 消