I have searched high and low and can only find some very bad documentation on how to properly save the data from a rich text editor to a SQL Server database. I am not working with personal profiles, I just want to understand how it is properly done, including how to properly escape said data.
views:
104answers:
2
A:
One simple way would be to HtmlEncode the content of the TinyMCE control when saving and Decode it when retrieving.
macou
2009-07-24 04:02:24
+1
A:
Use parameterized queries and you don't need to escape or encode the data going into or coming out of the DB.
What you should be more concerned about is the composition of the HTML that you're receiving when it's be rendered back out from the database. It's not really enough to trust the person submitting the HTML to not be malicious.
Does the HTML contain script? Does the HTML contain XSS attacks? Does any formatting or CSS embedded in the HTML break your page? Does unclosed markup in the HTML break your page?
CptSkippy
2009-07-24 14:36:04