Login

Marcolino92 · 04-19-2020, 03:22 AM

Hi, I was wondering what was the best way to handle formatted text?

Let's say the case of a simple text without the use of "editor", so that it includes every newline and maybe some tags, like <strong> <i> and similar.

What is the best way to save input into the database?
And how to print it on the page?

***jreklund*** · 04-19-2020, 06:08 AM

If you accept plain HTML tags, you are subject to XSS attacks, you need to use a filter to remove those attacks.
For example: http://htmlpurifier.org/

Just save it in a TEXT, MEDIUMTEXT etc depending on size.

And just use "echo $text;" for printing.

Marcolino92 · 04-19-2020, 07:34 AM

Let's say that I exclude simple tags, therefore simple text but which still includes the line wraps.

I send everything from a textarea and save it in the database as a simple input without filters?

Once I print it "echo $ text;" will I see the text all continuous, without a line, or am I wrong?

***jreklund*** · 04-19-2020, 08:10 AM

You need to exclude ALL tags if you don't want to use a filter.

You should always save everything as it (after filtering/validation). Escape are done on output.

You need nl2br($text) if you want \n converted to <br>. Depending on what kind of editor you have. If they are \n or <br> already.
_______________

You need to use nl2br(esc($text)); or you are subject to XSS. In case you don't use a filter. But as a preclusion, always use esc(). If you don't want user styling.