How to safely save data from a visual text editor form?

D

Diversia2017-05-19 08:54:15

PHP

Diversia, 2017-05-19 08:54:15

Hello!
Please share your experience! How to safely pass HTML from a visual editor form and save it.
In PHP you can use: But how safe will it be? What is the best way to organize the save?
strip_tags($input, '<br><b><i>');

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

B

Boris Korobkov, 2017-05-19
@Diversia

To save to the database, use PDO so that there is no SQL injection.
Before outputting to the browser (or before saving to the database), use https://word-to-html.ru/ or htmlpurifier.org . This will remove potentially dangerous tags and attributes (for example, js), and as a bonus, it will reduce extra html (especially when copying from Word to a visual editor)

A

Andrey, 2017-05-19
@AndryG

No tags need to be cut!
Security, like in sex, is determined by the correct use of contraceptives :)
When writing to the database, your data must go through mysqli_real_escape_string () escape processing before entering the query text php.net/manual/ru/mysqli.real-escape-string.php
When outputting to the browser, your text, whether you expect it to have tags or not, must pass through htmlspecialchars ( )
.
Little addition. If the editor uses bbCode, then consider storing both versions of the text: the original text from the editor and the compiled html code. So you have to perform the expensive bbCode compilation operation only when you change the original.