Tinymce and HTML Purify

vincekaribusana · June 10, 2017, 9:37pm

Hi i’ve noticed if I want to sanitize tinymce html text using html purify I need to decode the html entity fist setting the string in the following way

$inbox_message_body = html_entity_decode($_POST['messagebody']);

And then i can purify it with html purify in this way

$config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($config);
$clean_inbox_message_body = $purifier->purify($inbox_message_body);
$clean_inbox_message_subject = $purifier->purify($inbox_message_subject);

Is this the right approach? I believe html purify is better than tinymce because for example it does strip the tang all is content.

Lemon_Juice · June 12, 2017, 1:05pm

More or less it’s the right approach. HTML Purifier work server side while TinyMCE is client side so they are a bit different. For public forms some server side filtering is important for security.

As to the entities, try entity_encoding : "raw" option for TinyMCE - it should not generate entities any more, provided you use UTF-8.

system · September 11, 2017, 8:05pm

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.