PDA

View Full Version : htmlspecialchars function



vividona
07-08-2009, 08:15 PM
Hi folks,

To keep my tinymce texteditor working using html codes, I removed this function from my posting form. Is there any security issue may occur??? and how to fix this.

Thx in advance

traq
07-10-2009, 12:52 AM
Allowing people to post html to your site is always a security issue. It's not a good idea to allow anyone to add their own code and just "trust" that no one will abuse the feature.

Jesdisciple
07-10-2009, 04:13 AM
You can allow certain tags, and I'm sure open-source code is available for this. Usually the allowed set is <i> <u> <b> <a> and maybe a few others. Alternatively, several formatting languages are available, at least for blogs.

But why exactly do you need HTML to be modifiable by users? Is it something more complicated than formatting?

achardrys
07-11-2009, 01:53 AM
I'd like to suggest the all powerful BB CODE!

You should try googling a PHP BB Code script

traq
07-11-2009, 06:03 AM
As Jesdisciple implied, it all depends on what, exactly, he wants to be able to do. If he actually needs more than formatting, hyperlinks, etc., BB code wouldn't solve the problem. I suspect that may be the case, as tinymce (http://tinymce.moxiecode.com/examples/full.php)is capable of many (if not more) of the things bb code is.