Pierre Irani Pierre Irani - 2 years ago 86
SQL Question

Use WYSIWYG Editor with PHP escape Method

I am building a small/test CMS using Php and Mysql.
Everything is working amazingly on the adding, editing, deleting and displaying level, but after finishing my code, I wanted to add a WYSIWYG editor in the Admin back end.

My problem is that I am using escape method to hopefully make my form a bit more secure and try to escape injections, therefore when adding a styled text, image or any other HTML code in my Editor I am getting them printed as line codes on my page(Which is completely right to avoid attacks).


function e($text) {
return htmlspecialchars($text, ENT_QUOTES, 'UTF-8');}

My Question is:
Is there any way to work around my escape method (which is think it should not be done because if i can do it every attacker could).

Or should i change my escape method to another method?

Thank you

Answer Source

You can use strip_tags() to remove the unwanted tags. Read about it on this manual: http://php.net/manual/en/function.strip-tags.php

Example 1 (Based on the manual)

$text = '<p>Test paragraph, <a href="#">With link</a>.</p>';
# Output: Test paragraph, With link. (Tags are stripped)
echo strip_tags($text);
echo "\n";

# Allow <p> and <a>
#Output: <p>Test paragraph, <a href="#">With link</a>.</p>
echo strip_tags($text, '<p><a>');


I hope this will help you!

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download