Showing user input on my page

Question

Showing user input on my page

In our application, we allow the user to write their Bio using the WYSIWYG editor, but often contain bad HTML that breaks our page. Is it a good idea to show the user's biography inside the iframe so that it does not affect the rest of the page? Or any better options?

thanks

+4

javascript html css php user-input

3zzy Feb 28 '10 at 9:57

source share

3 answers

You might want to restrict Markdown users as if Stack Overflow is used for profiles, responses, etc. .

For further reading, you can check the following:

+3

Daniel Vassallo Feb 28 '10 at 9:59

source share

The solution should be to filter out the HTML to make sure it's OK:

Valid HTML
These are only the tags you want to allow.
And does not cause any security problems.

A great tool that does this is HTMLPurifier (citation):

HTML Cleaner is a standard compatible PHP filter library written in PHP. The HTML cleaner will not only remove all malicious code (better known as XSS) with a thoroughly tested, reliable whitelist, it will also make sure your documents are compliant

Basically, after the HTML has been entered by the user, before you save it in your database, you must pass it through an HTML cleaner, which will make sure that it is valid and remove the tag / attribute that you did not specify as "allowed" .

+1

Pascal martin Feb 28 '10 at 10:04

source share

cjensen · Accepted Answer · 2010-02-28T10:00:54+0000

This is not a bad idea, but why don’t you check the html before saving it? Or is it not bad, just ugly? Most editors have clean office formatting. Or is this a business requirement for HTML?

But iframe is the safest way to do this, I would say go for it!

Showing user input on my page

More articles: