Tinymce and HTML Purify

Hi i’ve noticed if I want to sanitize tinymce html text using html purify I need to decode the html entity fist setting the string in the following way

$inbox_message_body = html_entity_decode($_POST['messagebody']);

And then i can purify it with html purify in this way

$config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($config);
$clean_inbox_message_body = $purifier->purify($inbox_message_body);
$clean_inbox_message_subject = $purifier->purify($inbox_message_subject);

Is this the right approach? I believe html purify is better than tinymce because for example it does strip the tang all is content.

More or less it’s the right approach. HTML Purifier work server side while TinyMCE is client side so they are a bit different. For public forms some server side filtering is important for security.

As to the entities, try entity_encoding : "raw" option for TinyMCE - it should not generate entities any more, provided you use UTF-8.

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.