I have this property which is HTML saved from a TinyMCE editor:
<?php echo h($person['Person']['CurriculumVitae']); ?>
How can I have it displayed on the web and rendered as RAW Html not a simple string?
Don't wrap the variable in h(), an alias for htmlspecialchars(), which escapes HTML entities:
<?php echo $person['Person']['CurriculumVitae']; ?>
Just to remove the h() might solve your issue but it will open possible security holes because the field that keeps the html from TinyMCE will now become a possible security hole.
I had the exact same issue and solved it by using http://htmlpurifier.org/ for the output of tinymce HTML. I've written also a CakePHP plugin around it. https://github.com/burzum/HtmlPurifier
HtmlPurifier will allow you to configure an allowed set of Html elements and even of it's attributes. So you could for example specify that href is allowed but class is not.
You'll need to create a config for HtmlPurifier that will match whatever you allow your users to do with TinyMce. It will remove all non allowed tags and attributes from the markup the user has entered.
Related
I am adding a product attribute onto my product pages in Magento Enterprise V 1.14.1 and I can't get the HTML to display as it should on the frontend. I have WYSIWYG disabled with the 'Allow HTML Tags on Frontend' set to yes and have confirmed in my PHPAdmin databases that it is set to 1, but on my product page it is still displaying the raw HTML.
On the same page I have attributes which point to a static block with HTML and those display as they should, but this attribute which uses a text field doesn't seem to want to display correctly.
This is the code I am using to call my attribute in case that is where the issue is lying where 'static_block' is the name of my attribute I'm trying to call:
<?php echo $this->htmlEscape($_product->getData('static_block')); ?>
And what's weird is when I enable 'Visible on Product View Page on Front-end' and it appears in the 'Additional Information Tab' it displays as it should. So I'm guessing there might be something wrong with my script which is calling the attribute.
Thanks for the help!
It appears to be converting the html into Escaped HTML, which I do not think you want in this case. Try without htmlEscape() wrapping the static_block.
<?php echo $this->$_product->getData('static_block'); ?>
--- 11/10/2014 13:00 EST
It now appears you are calling an array for echo, rather than individual elements of an array.
--- 11/10/2014 13:15 EST
I stripped the HTML, used an HTML cleaner and, using Google Chrome's Edit HTML feature, I stripped out the quoted block and pasted the cleaned HTML and it worked perfectly, which pretty much confirms the Escaped HTML is to blame. It is reading <div> rather than <div> for instance.
echo $this->$_product->getData('static_block');
please use this code
Facebook like button (XFBML) used this
<fb:like send="true" width="450" show_faces="true"></fb:like>
Clearly the <fb></fb> is a tag, XML will accept it but it's not HTML. So is it normal that the browser keep it in the document?
What kind of programming technique is this called? Is it the right way? Or just another way to create a hidden element and replace the id="fb" ?
What is the :something in <fb:like> stands for? How to access it with javascript?
This is XHP!
XHP is a PHP extension created by Facebook.
It makes PHP understand XML nodes, so you can write something like this (from their own example):
<?php
$href = 'http://www.facebook.com';
echo <a href={$href}>Facebook</a>;
?>
XHP also allows you to create PHP classes, which can be used in your markup. So the <fb:like /> node is actually turned into a PHP class at compile time. The definition of the class probably looks like this:
<?php
class :fb:like extends :x:element {
...
}
You can read more about it in the link to Github above, and on the creators blog which is all about XHP.
So to answer your questions:
will not be processed by the browser, but by XHP. XHP turns it into PHP objects, which lastly turns it into valid HTML tag(s). This is true when using XHP, but it is also possible for us to use the same tag, without XHP. I'm guessing this is just a matter of parsing the tag in javascript and sending the variable to the API, which probably uses API to recreate the structure, and send back the HTML.
Not really a technique, but a unique thing that Facebook has developed to make their lifes working with PHP easier.
Again, when it is returned to the browser, it has been transformed by XHP (after sending it to Facebook through javascript). Try looking at the rendered version - it looks different than the simple <fb:like> tag.
I've been trying to echo html already created by the user (Using TinyMCE) into another page in the application. The problem I keep running into is the tags are echoed into their HTML equivalents (e.g. > instead of <) so they show up on the page instead of effecting the markup.
How do I get CakePHP to display the content as HTML instead of just echoing it?
Try using html_entity_decode.
echo html_entity_decode($theirHTML);
I am developing site with WordPress and I'm newbie for WordPress. WP adds <p> tag in editor while adding any post or pages. But I can't see the <p> tag in HTML mode. Can anyone suggest me what might be the problem?
Thanks in advance
It's not difficult to do this. To display the p and br tag we just need to install plugin which is "tinymce-advanced" and do some setting change. To change the setting just click check box for "Stop removing the p and br tags when saving and show them in HTML editor" and save. Now we can see the p and br tags in HTML mode.
:)
When you retrieve the stored data from the database, you need to run a filter on it to add the p and br tags back in. This is how wordpress handles content. When you use the_content(), for example, it is already running a filter on it, so when you have a custom loop, you may need to run the filter manually.
<?php echo apply_filters('the_content', $your_retrieved_data); ?>
reference: http://codex.wordpress.org/Function_Reference/apply_filters
You definitely don't need a plugin, and I would recommend not using the method described by user75472. Your data won't be as clean and future-proof.
Try adding the following line just before the_content() tag in your template:
<?php remove_filter ('the_content', 'wpautop'); ?>
Source
How do I limit the types of HTML that a user can input into a textbox? I'm running a small forum using some custom software that I'm beta testing, but I need to know how to limit the HTML input. Any suggestions?
i'd suggest a slightly alternative approach:
don't filter incoming user data (beyond prevention of sql injection). user data should be kept as pure as possible.
filter all outgoing data from the database, this is where things like tag stripping, etc.. should happen
keeping user data clean allows you more flexibility in how it's displayed. filtering all outgoing data is a good habit to get into (along the never trust data meme).
You didn't state what the forum was built with, but if it's PHP, check out:
http://htmlpurifier.org/
Library Features: Whitelist, Removal, Well-formed, Nesting, Attributes, XSS safe, Standards safe
Once the text is submitted, you could strip any/all tags that don't match your predefined set using a regex in PHP.
It would look something like the following:
find open tag (<)
if contents != allowed tag, remove tag (from <..>)
Parse the input provides and strip out all html tags that don't match exactly the list you are allowing. This can either be a complex regex, or you can do a stateful iteration through the char[] of the input string building the allowed input string and stripping unwanted attributes on tags like img.
Use a different code system (BBCode, Markdown)
Find some code online that already does this, to use as a basis for your implementation. For example Slashcode must perform this, so look for its implementation in the Perl and use the regexes (that I assume are there)
Regardless what you use, be sure to be informed of what kind of HTML content can be dangerous.
e.g. a < script > tag is pretty obvious, but a < style > tag is just as bad in IE, because it can invoke JScript commands.
In fact, any style="..." attribute can invoke script in IE.
< object > would be one more tag to be weary of.
PHP comes with a simple function strip_tag to strip HTML tags. It allows for certain tags to not be stripped.
Example #1 strip_tags() example
<?php
$text = '<p>Test paragraph.</p><!-- Comment --> Other text';
echo strip_tags($text);
echo "\n";
// Allow <p> and <a>
echo strip_tags($text, '<p><a>');
?>
The above example will output:
Test paragraph. Other text
<p>Test paragraph.</p> Other text
Personally for a forum, I would use BBCode or Markdown because the amount of support and features provided such as live preview.