Using the Wyzz Wysiwig editor and PHP

[kreut]

Hello!

 

I'm using the Wyzz editor as part of a web application, allowing users to type in using a Wysiwig editor which will then print on the web page what they type.  I'm wondering if there's a function in PHP which can tell if the text is "html" or the wysiwig stuff.  In other words, if I'm in the text mode and I click on the bold icon, and I type:

 

Hello how are you?    ----  then it prints "Hello how are you."

 

but if it's in the html mode, it and I type:

<b>Hello how are you?</b>

 

I'd LIKE it to be smart enough to spit out a bold Hello how are you.  Instead, it gives me back <b>Hello how are you?</b>.  So, might there be a version of the PHP echo which basically says "Hey, if it looks like an HTML tag let's treat it as such?"  As you can see by my code below, I'm just using a PHP echo statement right now:

 

<script language="JavaScript" type="text/javascript" src="../../js/wyzz.js"></script>
<?php if (isset($_POST['insert'])) {echo $_POST['textfield'];} ?>
   <form action="" method="post"><textarea name="textfield" id="textfield" rows="10" cols="40"></textarea>
  <script language="javascript1.2">

    make_wyzz('textfield');

  </script>
<input type="submit" name="insert" id="insert" value="Add Text" />
</form>

 

Thank you for taking the time to read this.

[johnny86]

I'm not familiar with wyzz but it sounds to me that you are thinking a bit wrong way. If I was to do something like that basicly what I would do is treat the input user sends always as HTML.

 

So now that you're always getting HTML trough your wyzz editor we get to the point that user starts editing his/hers old post which is stored as HTML in your database. You should initialize your editor with the data you have in your database. I had a quick look at the demo on wyzz' site. And you should insert pure HTML inside your <textarea> tags.

 

If you want to filter (and you should) your data. I'd suggest looking into HTML Purifier. It's a great standalone library which will allow you to filter unwanted html tags, xss and a lot more.

 

Edit:

And PHP will not 'recognize' if a string is HTML or not when you echo it out. If you echo out HTML from your PHP script lets say: echo "<b>Hello</b>"; Will print out Hello in your site. You need to know what kind of input you expect and treat your input accordingly. If you expect to have plain text filter your data to plain text removing unwanted tags or escaping characters.

 

You should be careful on what user input you echo on your site. You will easily expose yourself to XSS holes.

[kreut]

Thanks for the helpful info.  It points me in the right direction!