Handling a HTML WYSIWYG Editor

2
votes

I've constructed a simple, light-weight WYSIWYG HTML editor with the use of contentEditable="true", inserting HTML tags via javascript.

It all works great, except I don't know the best way to submit, validate, and insert the input into the database. I'm concerned that someone might insert their own tags and mess up the output.

My best idea so far is to convert all valid tags into BBCode with PHP just before inserting the input into the batabase, and then clear all the other tags. Is this conventional?

Thank you!

2
phphtmlwysiwyg
possible duplicate of What are the common defenses against XSS? - Quentin
@Quentin : I already strip the other HTML tags. I'm just curious how I should handle the tags which I want preserve. That doesn't seem to answer it, but thanks anyway! - Tom
You (a) Don't allow elements/attributes that can "mess up the output" and (b) as per the duplicate question use "a real parser" that acts as a "validator" (which prevents mismatched start/end tags) - Quentin
@Quentin : Cool, thanks! - Tom

2 Answers

1
votes

Yes it is. Another approach would be to convert your tags already in your WYSIWYG editor. Either way does not help you around "never trust user input data" so you have to validate that code anyway. You have to assume that it can be corrupted.

1
votes

You'd probably want to run it through something like HTML Purifier to ensure you strip out any malicious code.

I'm not sure if HTML Purifier already does it, but you would also want to use htmlentities or htmlspecialchars to strip out any database attack-related code before storing the data.