We are moving our forum in GitHub Discussions. For questions about Phalcon v3/v4 you can visit here and for Phalcon v5 here.

Escaping a post that contains php, html, javascript .... code snippets


I have a forum like application where people quote their code anippets (of different languages).

Posting without escaping the content is both dangerous and it receievs error.

Could someone please show me a short code snippet on how can I properly

1- Escape the posted text field

2- Then show it correctly on another page and

3- Finally load it into a text box for editing? (possibly unescape it for edit)

Regards, Mac

Run it through htmlentities() when storing it in the database. That should accomplish 1) & 2) and maybe even 3)


Dylan, Thanks

But isn't it necessary to de-encode before loading the encoded string into TinyMCE for example?


Maybe. I'm guessing TinyMCE would show "<" rendered as it's character "<" (for example), which the user can then edit as a single character.

If you do have to decode the string, you'll need to be super careful it doesn't get rendered/executed. Making sure it only gets output within <textarea></textarea> tags should work.

Now that I think of it, if you don't decode you'll probably get stuff re-encoded, as htmlentities() encodes &, so ">" would become ">" which would become "&gt;". So yeah, decode it.