I am trying to validate a rich text input provided by the TinyMCE editor. I am very aware of leaving myself open to XSS etc and want to get this right.
I am sanising the POST data prior to doing anything with it with the following code:
//sanitise POST array
$_POST = filter_input_array(INPUT_POST, FILTER_SANITIZE_FULL_SPECIAL_CHARS);
I then have a custom validation class to check each field input now it's been sanitized, but... I'm not sure how to check the sanitised RTF input. For example I am using ctype-alpha to check for alpha inputs & filter_var($this->currentObject->value, FILTER_VALIDATE_EMAIL to check for valid email addresses but I'm not sure what to use for the sanitised tinyMCE field.
I think what I need is a regex perhaps? Does anyone know the correct expression to check the a tinyMCE RTF input? Am I doing this the right way round???
If using a regex I can then use my function below to return whether it is valid:
//used to send a custom regex
function regex($regex, $errorMsg = null)
{
if ($this->isValid && (!empty($this->currentObject->value))) {
$this->isValid = (filter_var($this->currentObject->value, FILTER_VALIDATE_REGEXP, array("options" => array("regexp" => "$regex")))) ? true : false;
if (!$this->isValid) {
$this->setErrorMsg($errorMsg, self::$error_regex);
}
}
return $this;
}
I think this will work, but am I missing any characters?
^[a-zA-Z0-9\s&|&\.\!?\;\\\-\<\>\/]*$
FILTER_SANITIZE_FULL_SPECIAL_CHARSbasically reverts the editor work (what doesn't make much sense). In the second case you aren't even using the appropriate family of tools because RTF doesn't have anything to do with HTML. - Álvaro González