How to properly escape HTML editor content corretly?

622 views Asked by At

So I am using TinyMCE editor and have handled getting the content in the text area by using htmlspecialchars() which works fine, but I'm a little confused on the other side of using an WYSIWYG editor... The content output part.

I am using HTML Purifier to output the content, but from what I understand I've just been doing for example:

$purifierConfig = HTMLPurifier_Config::createDefault();
$purifierConfig->set('HTML.Allowed', 'p');
$Purifier = new HTMLPurifier($purifierConfig);
$input = $Purifier->purify($input);

I've only tested with the p tags, but does this mean I am going to have to go through everything TinyMCE uses and add it in as what is allowed? Or is there a better way of tackling this problem with safe output of an WYSIWYG editor?

1

There are 1 answers

0
lumio On BEST ANSWER

Yes, you need to set all allowed tags you want, separated by a comma. You can also specify what attributes are allowed by enclosing them with brackets:

$purifierConfig = HTMLPurifier_Config::createDefault();
$purifierConfig->set('HTML.Allowed', 'p,a[href],b,i,strong,em');
$Purifier = new HTMLPurifier($purifierConfig);
$input = $Purifier->purify($input);

I guess for a better understanding, the printDefinition can help.