Using xss_clean() for displaying content from WYSIWYG editor |
Hi friends,
I have a web application that accepts comments using a WYSIWYG editor (having basic formatting like bold, italics, heading, lists, etc). I am trying to allow users to also enter manually typed html like: Quote:<b>This is manually typed content</b> Here the 1st line is html that's manually typed by user, and second line is text formatted using the wysiwyg editor. This input then gets stored in my database as (with html entities encoded): Quote:<b>This is manually typed content</b> Now before displaying when I run this through "$this->security->xss_clean()", the output of xss_clean() is: Quote:<b>This is manually typed html</b> So on echoing this in browser both lines come out as bold text, whereas I want only the formatted text to be treated as html. Another issue is that xss_clean() url-decodes the text passed to it, so in some cases the text having "%" with some trailing alphabets get converted to a special character. I understand a lot of stuff that xss_clean() does is for security reasons and my app has never suffered any xss attacks until now thanks to it. But I would like an alternative that would preserve html entities & not url decode text while filtering for XSS. So my question is, are there any good alternatives to xss_clean() which someone is using that can solve these 2 issues while also doing xss filtering? I am aware of HTML purifier, but would like to know if there are any other good alternatives. P.S. I am aware that the % sign issue has been reported on CI's github issues & is marked closed, because removing it is a security concern : https://github.com/bcit-ci/CodeIgniter/issues/5125 Haven't found anything else related in CI's Github issues, and searching "xss_clean" retrieves a lot of results on this forum. I went through a few pages but couldn't find something relevant. So forgive me for not being able to find a topic where this has been discussed before. Thanks! |
Messages In This Thread |
Using xss_clean() for displaying content from WYSIWYG editor - by thorium369 - 08-11-2018, 06:35 AM
RE: Using xss_clean() for displaying content from WYSIWYG editor - by Pertti - 08-13-2018, 12:59 AM
RE: Using xss_clean() for displaying content from WYSIWYG editor - by thorium369 - 08-17-2018, 02:53 AM
|