• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Text coming back formatted different.

#1
[eluser]jshultz[/eluser]
I'm using CKEditor and KCFinder to build a relatively simple CMS. Currently, things are working pretty well. I noticed an issue, though, when I started integrating images into the mix. The links for the iamges are comign back wrong. It looks like CKEditor might be changing the quotes, etc, on me. It looks correct when I look in mysql but it doesn't always look correct when I look in the editor but it's definitely not. Most of the time it does, but this time it came back looking like this:

<img alt="" data-cke-saved-src="http://placekitten.com.s3.amazonaws.com/homepage-samples/200/287.jpg" src="http://placekitten.com.s3.amazonaws.com/homepage-samples/200/287.jpg" 200px;="" height:="" 287px;="" float:="" left;"="">i

For example, look at this page here: http://testosm.phpfogapp.com/pages/index/1/3/

I have all the code posted here: https://github.com/jshultz/monkey-cms in case you want to see what I was doing? Any feedback would be appreciated.


#2
[eluser]MrChuffman[/eluser]
Haven't looked at your code yet, but you do know you're posting your config/database.php file into Git right? Even if it's just a test server, it's best to add that to your .gitignore.

Edit: How are you cleaning your input? If you're using CI's native xss_clean, it strips the styles (reference system/core/Security.php) from inputs. If you're using the native solution, you'll need to extended and edit that.

#3
[eluser]jshultz[/eluser]
Ok, I'll remove it from the repo. That's a good idea I had wrestled with doing but couldn't decide on.

I thought I was using xss_clean but I don't see it in my controller. https://github.com/jshultz/monkey-cms/bl...client.php

#4
[eluser]jshultz[/eluser]
Ok, I checked and I have global_xx_filtering set to false in the config file.

the function is taking the inputs like this: (string)$this->input->post('pagename', TRUE);

#5
[eluser]jshultz[/eluser]
So I turned on global_xss_filtering and the data is definitely cleaner now. all the styling was removed. Unfortunately. it's almost perfect. Now, if I could just keep the image styling it would be perfect!

#6
[eluser]Aken[/eluser]
The TRUE parameter of $this->input->post() is saying "run this through xss_clean() before giving it to me". You're now doing it twice, as opposed to none at all. Maybe consider a third-party library to sanitize the HTML, rather than utilizing xss cleaning and such. XSS cleaning, while great for security, can really mess with your code if you're trying to use complicated things like HTML.

You might even consider a different type of markup language, like Markdown for instance.

I hate WYSIWYG editors, because they all fudge up markup like crazy and they're horrible intuitive. Not that that helps you at all, but yeah.

#7
[eluser]jshultz[/eluser]
You were right. It was the XSS_Clean!

So, what would be a good suggestion for handling a WYSIWYG type editor? I'm not married to CKEditor and KCFinder. If something would be a better option I'm open to it. I remember seeing on a blog somewhere that there was a pure HTML5 wysiwyg type editor that looked compelling. I could use that and and maybe CI's built in image handling? I don't know. Sad

#8
[eluser]Aken[/eluser]
I haven't used it yet, but this jQuery WYSIWYG editor looks very promising: http://redactorjs.com/

I don't know how much that would affect the actual resulting code or not - something tells me none of them will ever be perfect. But maybe it does a better job.

Otherwise like I said, you could consider different markup options, like BBcode or Markdown or other similar text-based ones that don't require HTML tags at all. That way XSS Clean will never be a problem.

There are articles out there for handling HTML in POST, and protecting against various things. Here's something that might be handy: http://htmlpurifier.org/

#9
[eluser]jshultz[/eluser]
Thank you for the recomendation for HTML Purifier. I installed the standalone version and used the helper I found on github and it worked great.


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2019 MyBB Group.