Page 1 of 1
How do I let user insert HTML, but not other stuff
Posted: Wed Jul 05, 2006 4:25 am
by Luke
I have a news module that uses tinymce as a wysiwyg editor. I want my app to allow html formatting from this editor, but not javascript or sql. What do you guys do for this type of thing?
Posted: Wed Jul 05, 2006 4:31 am
by Jenk
preg*
Posted: Wed Jul 05, 2006 4:36 am
by Luke
well even with preg... what types of things do I check for?
Posted: Wed Jul 05, 2006 4:38 am
by Jenk
disallow event handlers (onClick, onSubmit, onMouseOver etc.,) and of course the <script> tags.
However, as the other thread on this topic suggests.. it's best you use a different markup to allow such editing, e.g. bbcode

Posted: Wed Jul 05, 2006 4:40 am
by Luke
hmm... maybe tinymce has some such markup... I will look into it,