jlleblanc.com - Re:Using htmlspecialchars with wysiwyg editor?

Learning Joomla! for the first time? Buy the Joomla! 1.5 Essential training CD-ROM or watch it on Lynda.com.

Welcome to Joseph LeBlanc's Joomla development forum. This forum is primairly intended to discuss the development of components I've authored, such as the podcasting suite and Daily Message tutorial. Although I happily answer general questions about Joomla, you may get quicker answers by searching the Joomla forums.

Due to spam abuse, you must register to post in the forums. However, you are allowed to browse the forums without registration. Commercially-oriented, off-topic messages are $100 per word, thank you for understanding!

	FireBoard	Forum Flat View Rules Help

Welcome, Guest
Please Login or Register. Lost Password?

FireBoard

Coding components

Component help

Re:Using htmlspecialchars with wysiwyg editor? (1 viewing) (1) Guest

Favoured: 0

TOPIC: Re:Using htmlspecialchars with wysiwyg editor?

Forum Tools

#3276

jleblanc (Admin)

Admin

Posts: 1040

Re:Using htmlspecialchars with wysiwyg editor? 10 Months, 1 Week ago

Karma: 32

Hi Bill,

Thanks for reading my book! The issue with htmlspecialchars() (and I really should be using htmlentities() here) is that we're trying to escape all input from the user. This way, users can't add <script src="nastyscript.js"> and other things that would hijack your page. However, if you are displaying something that's already in HTML, then you do end up with the problem where you see the HTML markup on screen instead of it being a part of the HTML document.

You can dispense with htmlspecialchars/htmlentities on these fields IF you are properly filtering those fields BEFORE they get saved into the database. The method for doing this is in the book. In usual cases, you call bind() on your table object, then you go back and set the fields with HTML manually using the JRequest::getValue() function, passing in the appropriate parameters that allow "good" HTML through.

Report to moderator Logged