Solved thread

This post is marked as solved. If you think the information contained on this thread must be part of the official documentation, please contribute submitting a pull request to its repository.

Escaping a post that contains php, html, javascript .... code snippets


I have a forum like application where people quote their code anippets (of different languages).

Posting without escaping the content is both dangerous and it receievs error.

Could someone please show me a short code snippet on how can I properly

1- Escape the posted text field

2- Then show it correctly on another page and

3- Finally load it into a text box for editing? (possibly unescape it for edit)

Regards, Mac

Run it through htmlentities() when storing it in the database. That should accomplish 1) & 2) and maybe even 3)


Dylan, Thanks

But isn't it necessary to de-encode before loading the encoded string into TinyMCE for example?


Maybe. I'm guessing TinyMCE would show "<" rendered as it's character "<" (for example), which the user can then edit as a single character.

If you do have to decode the string, you'll need to be super careful it doesn't get rendered/executed. Making sure it only gets output within <textarea></textarea> tags should work.

Now that I think of it, if you don't decode you'll probably get stuff re-encoded, as htmlentities() encodes &, so ">" would become ">" which would become "&gt;". So yeah, decode it.