I'm using a HTML form's TEXTAREA field that will contain text and it may can contain itself some HTML tags. I have read here that this should be managed using htmlspecialchars function, however this will show the HTML tags in a way it will be quite difficult to allow easy editing of the HTML code into the form TEXTAREA. What is the safer, easier way to achieve this, ensuring that quotes and "dirty" HTML code will not spoil the form?
+1
A:
The usual workflow:
- Provide a Javascript rich-text editor for your users such as TinyMCE: http://tinymce.moxiecode.com/
- Grab the source generated by the RTE and filter it through HTML Purifier before saving to the database.
- Escape the existing HTML:
<div id="myHtml" style="display: none"><?php echo htmlentities($html); ?></div> - Re-populate the RTE via Javascript - in the case of TinyMCE as follows:
tinyMCE.activeEditor.setContent($('#myHtml').html());
You can also load the HTML content via AJAX.
pygorex1
2010-09-23 10:30:04
Man, this is awesome! Will certainly follow your advise. Thanks!
Riccardo
2010-09-23 10:36:29