Hello,
I have a forum like application where people quote their code anippets (of different languages).
Posting without escaping the content is both dangerous and it receievs error.
Could someone please show me a short code snippet on how can I properly
1- Escape the posted text field
2- Then show it correctly on another page and
3- Finally load it into a text box for editing? (possibly unescape it for edit)
Regards, Mac
Run it through htmlentities() when storing it in the database. That should accomplish 1) & 2) and maybe even 3)
Dylan, Thanks
But isn't it necessary to de-encode before loading the encoded string into TinyMCE for example?
Maybe. I'm guessing TinyMCE would show "<" rendered as it's character "<" (for example), which the user can then edit as a single character.
If you do have to decode the string, you'll need to be super careful it doesn't get rendered/executed. Making sure it only gets output within <textarea></textarea> tags should work.
Now that I think of it, if you don't decode you'll probably get stuff re-encoded, as htmlentities() encodes &, so ">" would become ">" which would become ">". So yeah, decode it.
