How to allow certain HTML tags in a form field in Symfony 1.2

Question

I'm playing around with Symfony and have encountered a road block.

I created a model "CmsPage" which has a field called "content" which is stored as a clob (this is specific to doctrine I believe). When I created the app I set "--escaping-strategy=on" so if I enter any html when editing a CmsPage that gets encoded with html entities or something along those lines. I would like to allow html in this field and a quick googling hasn't helped much. Maybe I'm searching for the wrong terms.

Anywho I would like to disable character escaping for this field and possibly only allow a small selection of html tags. What is the correct way to do this in Symfony?

Answer 1

From http://www.librosweb.es/symfony%5F1%5F1%5Fen/capitulo7/output%5Fescaping.html

Every template has access to an $sf_data variable, which is a container object referencing all the escaped variables. [skipped] $sf_data also gives you access to the unescaped, or raw, data. This is useful when a variable stores HTML code meant to be interpreted by the browser, provided that you trust this variable. Call the getRaw() method when you need to output the raw data.

echo $sf_data->getRaw('test'); => alert(document.cookie)You will have to access raw data each time you need variables containing HTML to be really interpreted as HTML. You can now understand why the default layout uses $sf_data->getRaw('sf_content') to include the template, rather than a simpler $sf_content, which breaks when output escaping is activated.

Answer 2

You can use http://htmlpurifier.org/ It is great tool for your needs.

Here is small configuration for htmlpurifier. These rules perfect match with TinyMce editor.

$purifier = new HTMLPurifier();
$purfier_config = HTMLPurifier_Config::createDefault();
$purfier_config->set('HTML.DefinitionID', 'User Content Filter');
$purfier_config->set('HTML.DefinitionRev', 1);
// these are allowed html tags, means white list
$purfier_config->set('HTML.Allowed', 'a,strong,em,p,span,img,li,ul,ol,sup,sub,small,big,code,blockquote,h1,h2,h3,h4,h5');
// these are allowed html attributes, coool!
$purfier_config->set('HTML.AllowedAttributes', 'a.href,a.title,span.style,span.class,span.id,p.style,img.src,img.style,img.alt,img.title,img.width,img.height');
// auto link given url string
$purfier_config->set('AutoFormat.Linkify', true);
// auto format \r\n lines
$purfier_config->set('AutoFormat.AutoParagraph', true);
// clean empty tags
$purfier_config->set('AutoFormat.RemoveEmpty', true);
// cache dir, just for symfony of course, you can change to another path
$purfier_config->set('Cache.SerializerPath', sfConfig::get('sf_cache_dir'));
// translation type, 
$purfier_config->set('HTML.Doctype', 'XHTML 1.0 Transitional');
// allow youtube videos
$purfier_config->set('Filter.YouTube', true);
$purfier_config->set('HTML.TidyLevel', 'heavy');
// now clean your data
$clean_nice_html_data = $purifier->purify($user_input_data, $purfier_config);

Now you can insert data to databse with html tags, and you don't need to escape your data, because, htmlpurifier clean nasty, dangerous data for you, and only accept your allowed tags and attributes.

I hope it helps.