Security of user texts. How to output data correctly?

C

chelkaz2017-05-26 04:42:27

Laravel

chelkaz, 2017-05-26 04:42:27

There is a project where users can add different posts.
How to do it right so that you can enter both plain text and code. But what would the code be shown as code with minimal highlighting.
In terms of security, which is better?
Now, before adding to the database, I do this:
'text' => trim(htmlspecialchars($text)),
And I output it so that line breaks work:
In Laravel {!! !!} this means that htmlspecialchars is not used in the output.
{!! nl2br(e($post->text))!!}
But now I thought to do something like this - If there are tags in the text, then enclose the output with a highlight, for example, if not, then display it as text.
I don't often come across user data output. What are the nuances?
Can eat ready libraries for simplification? For example, in plain text, to filter duplicate spaces or tabs or new empty lines, and if there is code in the text, then format it as code.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

S

Sergey Sokolov, 2017-05-26
@sergiks

Let them write in Markdown markup and connect some library for rendering from md to html. For example michelf/php-markdown .

V

vyrkmod, 2017-05-26
@vyrkmod

In general, any normal template engine screens the output, in the same Twig you have to separately indicate that this variable should be output "raw". Well, in general, the template engine is just a useful thing.