How to use rich text editor for text-area input and yet prevent injections?

[this.user]

I'd like to use a text editor like this one: http://tinymce.moxiecode.com/examples/full.php for my forums.

 

 

But I am not sure exactly how I would prevent abuse and injects to messed up the page, rather than being contained in  the designated area it is meant for.

 

 

Could some  one please help me, I know htmlspecailchars will not work, since some of the code needs to render as html  :-\

[The Eagle]

Well, a fully written WYSIWYG editor most likely doesn't have many injection vulnerabilities, as it's used widely and I've not heard of a complaint nor had one myself.

 

If you'd write your own, which I must say would be extremely difficult, you'd probably have more chances of injections than using a premade one.

[this.user]

So how would I handle the input?

 

lets say the value is stored in $_POST['comment']

 

Here is what I am worried about for example:

 

</div></div>

[fortnox007]

Well as stated if you use a text-editor, it will strip out the stuff you don't want in it. I am pretty sure every editors has it's own ways of doing it, but I am also pretty sure you can just put the input right in the database. I recommend reading the documentation of the specific editor since this would be a wild guess

[this.user]

thanks, ill look into it some more.