I have a $text variable that holds some text and HTML code. I would like to render its HTML, but still make sure the rest of the string is escaped.
$text = 'Example text with image <img src"image_1.jpg">. More text...'
// This will render the HTML but will NOT escape the string
{!! $text !!}
// This will escape and display the variable as raw string, with no HTML rendering
{{ $text }}
In Laravel 5, is there a way to escape a string with Blade while allowing HTML?
I am not aware of such functionality in blade. You can not just allow specific HTML tags, because they may have unwanted stuff (like onload) inside them. Processing of string may be tricky. Have you considered markup language?
In this case you need to do some manual processing of the string.
It might be possible that Purifier https://github.com/mewebstudio/Purifier will do what you need. It will make strings harmless and then it is safe to print the html in it.
Otherwise you need to write your own parser if nothing else like that is found.
Related
So i added TinyMCE with this method
<script src="https://cdn.tiny.cloud/1/myapihere/tinymce/5/tinymce.min.js"></script>
<script>tinymce.init({selector:'textarea'});</script>
and added a textarea later on the text. But for some reason
This is what i want it to show to me, when the post is updated
This is what it shows me
If I understand correctly, your problem is that when you output the string from tinyMCE, you get the raw html without any formatting.
I think the problem is how you output the string. When outputting HTML in a blade template, don't use {{ $content }}, this will automatically encode html entities.
To output HTML, you have to use {!! $content !!}. This will output your string as is and won't parse html entities.
I have a text area where a user can define a post. This field should allow BBCODE but not HTML.
Currently HTML is allowed but it should not be.
How can I disallow HTML tags to be posted by the user?
There are two main choices here. You can either escape the HTML, so it's treated as plain text, or you can remove it. Either way is safe, but escaping is usually what users expect.
To escape, use htmlspecialchars() [docs] on the input, before you process the bbcode.
echo htmlspecialchars("<b>Hello [i]world![/i]</b>")
<b>Hello [i]world![/i]</b>
To remove the HTML tags entirely, use strip_tags() [docs] instead:
echo strip_tags("<b>Hello [i]world![/i]</b>")
Hello [i]world![/i]
I think you should use strip_tags() it will strip html tags & preserve the text but leave BBcode.
I have a trouble with a textarea input that have a WYSING editor (Simple), the DB/rows are in UTF8_general_ci, and now i set the html text in the template with this:
htmlentities(utf8_decode($row['field'])
The problem is the WYSING editor, if the user put a <strong> <P> or similar, the text show in the template is the string code of the tag, not the code, because i use htmlentities, but if i not use this, and show the raw text, the problem is "the special tags", for example <script>, <iframe>.
The solution for this is the use of strip_tags(), allowing ONLY the used for the editor.. but one problem persist to this.. if the user, use for example <p onclick="alert('fckoff!')">HELLO!</p>, the alert is show because its allowed HTML tag.
Exists, any method, to allow ONLY certain tags + prevent scape special chars (like ', ", ñ, or '`´) + limit this "secutiry issures"?
Tanks!
you could make a function to remove any content you don't want, using regular expressions.
For example to remove the onclick js event you could do something like:
$field = preg_replace('/onclick=\"[^"]*\"/', '', $field);
for multiple tags you coud:
$field = preg_replace('/(onclick|onload|onwhatever|...)=\"[^"]*\"/', '', $field);
As you are using a custom CMS/Framework so its a very complicated thing, I suggest you to copy function(s) from a Framework like CodeIgniter, here you will find a good code (public function xss_clean) https://github.com/EllisLab/CodeIgniter/blob/develop/system/core/Security.php
You can modify it according to your need. And keep your code updated with the above link's function to be secure from new threats.
I have a html page stored in the mysql database. I get the html from the database and try to replace some of the inline javascript code from the html content. I tried using str_replace() but it does not replace the inline javascript code. I can replace other html content like divs but not inline javascript code.
How can I do find and replace the inline javascript code?
PHP should be seeing the entire HTML page as a big string, so in theory, it should be able to alter JS and HTML alike. Is it possible the string still has slashes, and your str_replace can't find the search criteria due to the slashes?
Try printing the entirety of the string to the screen to make sure, and if it does still have slashes, use a stripslashes($string) call to get rid of them.
You probably want to use a DOM parser to handle your webpage as a DOM structure, not a serialised string of HTML (where things like string replacement and regular expressions can be troublesome).
I have data that is coming in from a rss feed. I want to be safe and use htmlentities but then again if I use it if there is html code in there the page is full of code and content. I don't mind the formatting the rss offers and would be glad to use it as long as I can display it safely. I'm after the content of the feed but also want it to format decently too (if there is a break tag or paragraph or div) Anyone know a way?
Do you want to protect from XSS in the feed? If so, you'll need an HTML sanitizer to run on the HTML prior to displaying it:
HTMLSanitizer
HTMLPurifier
If you just want to escape whatever is there, just call htmlspecialchars() on it. But any HTML will appear as escaped text...
You can use the strip_tags tags function and specify the allowed tags in there:
echo strip_tags($content, '<p><a>');
This way any tag not specified in allowed tags will be removed.
You can transform the HTML into mark down and then back up again using various libraries.