tags:

views:

45

answers:

3
+1  Q: 

HTML codes showing in viewpage HTML data

Hello Guys, I’m a new to Codeigniter. Just using it in my project from last 2 months. I’ve a comment section in my project. Where any one can give comments. Every things are going perfect but when ever any one putting HTML content(image/videos) & then when those are showing back in the comment section… direct HTML codes are showing in the comment page rather than HTML content(image/videos).

ex: when i’m saving any “embed youtube video code” in the comment box & save that the out put comes as “raw Embed Video codes” rather than Youtube Video…..

I feel like it must be a minor thing but really can’t understand where the fault has occurring. Plz, if any body have the solution reply me back as soon as possible.

A: 

As a quick hack you can do htmlspecialchars_decode when displaying the comment in your view. This is very dangerous though without the use of sanitization when you receive the comment - search xss_clean on this page. You should also use strip_tags to remove all the HTML tags you don't need (everything except the video tags) prior to inserting the comment in the database.

kitsched  2010-04-04 17:21:59
Thx kitsched,for u'r quick reply. Actually, i'm sanitizing all my comment text inputs by xss_clean,trim. Last night, i saw that may b at the sensitization time "param" tag of youtube EMBED code is getting blocked. That's why those videos are not working properly.
mi6crazyheart  2010-04-05 08:13:26
+1  A: 

I had a similar problem a while back - wanting to give end users the ability to post YouTube videos, but not allow them to just post anything without some sort of XSS protection.

I ended up using htmlpurifier - http://htmlpurifier.org/ to filter the contents being submitted in the form.

There is a modification that can be made to the whitelist that allows YouTube code through the purifier.

http://htmlpurifier.org/docs/enduser-youtube.html

So far, that's working well, but my system is still in development.

someoneinomaha  2010-04-05 17:52:38
htmlpurifier with its associated CodeIgniter library is quite a find. Thank you!
kitsched  2010-04-06 00:51:12
+2  A: 

Couldn't one devise a system where somebody just posts the youtube link itself and through a combination of regular expressions your own system generates the object/embed code itself so there's no security risk possible?

djFire  2010-04-05 17:54:57
Sounds much safer than wrangling tags.
kitsched  2010-04-06 00:51:49

related questions

What are possible causes for a large number of sleeping connections to a MySQL Server?
Link to unless current -- possible in CI?
In CodeIgniter, how can I have PHP error messages emailed to me?
Image Manipulation in CodeIgniter
CakePHP or CodeIgniter Longterm Upgrade / Maintainability?
Simple Search: passing form variable to URI?
How to use CodeIgniter/MVC views inside jQuery ajax tabs?
Is there a way to pass arguments to a query in CodeIgniter *without* using ActiveRecord?
How to output data from tables with same column names in CodeIgniter?
Explain this mod_rewrite rule
code igniter / cakephp and ms access
Where should assets go in a code igniter project?
PHP - CodeIgniter - Usage
Best practices: What's the best way for constructing headers and footers? Call it all from the controller, or include from the view file?
How can I just get the "Year" portion from the output of timespan() in CodeIgniter?
Lightest possible PHP MVC
Subfolders in CodeIgniter
Set up Apache for local development/testing?
Which PHP framework is closest to Ruby on Rails? CakePHP? CodeIgniter?
Table Sorting using CodeIgniter
Role Based Access Control
PHP: Object oriented vs. MVC (CodeIgniter)
Can you access a model from inside another model in CodeIgniter?
Smarty integration into the Code Igniter framework.
Code igniter (PHP framework)