Question about htmlentities()

[downah]

Wondering about htmlentities() as I have a rich text editor implemented on my website, how would I correctly use htmlentities() as I still want the data which was put into the rich text editor to correctly show, sorry for me being a bit vague, it is late and im tired but hope someone can shine some light on this for me

[f3nnix]

pff, not really sure what you whant but something like this could help

 

//Get the document in a string
$document = file_get_contents("sample.rtf",true);
//translate into these entities
$htmlCode = htmlentities($document);

//print it out (exp.)

echo $htmlCode;

[requinix]

If by "rich text" you mean one of those JavaScript editor things then,

 

You don't have to use it: stuff will already be entity-encoded. If you're worried about disallowed HTML tags then strip_tags is a good start.

[downah]

If by "rich text" you mean one of those JavaScript editor things then,

 

You don't have to use it: stuff will already be entity-encoded. If you're worried about disallowed HTML tags then strip_tags is a good start.

That's right, I was just scared for people being able to insert scripts through there since I didn't really seem to be able to sanitize it with htmlentities(), so it seems with the strip_tags I should allow only certain codes (all the functions on the built in text editor) to be able to get it secure?

[requinix]

That's right, I was just scared for people being able to insert scripts through there since I didn't really seem to be able to sanitize it with htmlentities(), so it seems with the strip_tags I should allow only certain codes (all the functions on the built in text editor) to be able to get it secure?

It gets you partway. It's still possible for people to exploit events like

Hover over me

strip_tags() won't remove attributes. Best idea I've seen is to use strip_tags() to remove the tags you don't want, then DOM (eg, DOMDocument) to remove all attributes (except any ones you want to allow).