Manage html formatted text |
Hi, I was wondering what was the best way to handle formatted text?
Let's say the case of a simple text without the use of "editor", so that it includes every newline and maybe some tags, like <strong> <i> and similar. What is the best way to save input into the database? And how to print it on the page?
If you accept plain HTML tags, you are subject to XSS attacks, you need to use a filter to remove those attacks.
For example: http://htmlpurifier.org/ Just save it in a TEXT, MEDIUMTEXT etc depending on size. And just use "echo $text;" for printing.
Let's say that I exclude simple tags, therefore simple text but which still includes the line wraps.
I send everything from a textarea and save it in the database as a simple input without filters? Once I print it "echo $ text;" will I see the text all continuous, without a line, or am I wrong?
You need to exclude ALL tags if you don't want to use a filter.
You should always save everything as it (after filtering/validation). Escape are done on output. You need nl2br($text) if you want \n converted to <br>. Depending on what kind of editor you have. If they are \n or <br> already. _______________ You need to use nl2br(esc($text)); or you are subject to XSS. In case you don't use a filter. But as a preclusion, always use esc(). If you don't want user styling. |
Welcome Guest, Not a member yet? Register Sign In |