I'm using TinyMCE 4 on a project, where I need to be able to pre-populate the textarea with HTML that was submitted through POST (for server-side error handling without deleting all their work) I know that a textarea works mostly like a tag, in that HTML inside is not parsed into DOM, so most sites show the demo:
<textarea name="demo"><?=$_POST['demo']?></textarea>
but what happens when a user submits HTML that includes an unmatched <textarea> or </textarea> tag?
Is there a standard way to manage this risk?
use htmlspecialchars($_POST['demo']) in php when outputing
Remove only the <textarea> tags from the user input. Please see this post using regular expressions. It tells you how to remove only certain tags (unlike htmlentities) which removes all tags.
Use xmp tag instead of textarea. It will display html as itself.
Eg: http://dadinck.x10.mx/xmp.html
htmlentities function will replace every html caracter (such as <) to one that will display correctly but wont break your html.
http://www.php.net/manual/en/function.htmlentities.php
Related
Preface: I cannot rename the source tags or edit their IDs. Any changes to the tags must happen after they have been fetched.
What I'm doing: using file_get_contents in PHP, I am requesting data from a remote site. This data is just two <p> tags. I need to hide or rename the second of the two <p> tags.
Is this possible with PHP or jQuery?
What I'm working with:
<p>Hello my name is test</p><p>I like studying geology.</p>
If you need to hide second text, you can do this with Jquery:
$('p:eq(1)').hide();
Jsfiddle
You could try a php string replace
$new_string = str_replace('</p><p>','',file_get_contents('somecontent'));
If you need to do it before render HTML, you need to parse contents and remove/replace second p tag and create a new content.
Here is a DOM parser Simple HTML DOM Parser
Find similar questions below
How to match second <a> tag in this string
How to add attribute to first P tag using PHP regular expression?
Or you can do it after rendering HTML as rNix suggested.
I'm doing a web builder and I'm having a bit of trouble.
I want to have a textarea that you can enter text that you want to your TEXT element. This element I disabled the HTML when it´s later off previewed by simply putting a .innerText before posting preview. Though, I might just need the <br> tag.
I can use PHP or JS. Any ideas?
Use nl2br(htmlspecialchars($str)) when displaying the text. Note that the order of the function calls matters - first you escape all HTML in the string and then you convert linebreaks to HTML linebreaks.
When you are typing in a textarea, and the return key is pressed,
What actually goes on behind the scenes is this
Hi, \n There
which produces the following in the textarea.
Hi
There
Hence, what you would need to do is essentially change the \n (newline) to break tags.
http://php.net/manual/en/function.nl2br.php
Just use a plain textarea, afterword use a function like nl2br when you display it in your html page
nl2br(htmlspecialchars($string))
changes the line breaks to <br /> tags, so you can display them in html as seen in the textarea.
Is there a simple php script ignoring html content in a database and not loading it using php?
Like: don't load images, or anchors, or elements with class=""...
Best Regards
use function strip_tag('your content here'). It will remove all HTML tags from your content and gives pure text base output.
http://php.net/manual/en/function.strip-tags.php
I think you're looking for strip_tags(). It removes HTML tags from a text. You can also specify list of tags to keep.
Have to say, parsing text content from a HTML page requires more complex operation.
You can strip_tags()
This function tries to return a string with all NUL bytes, HTML and
PHP tags stripped from a given str. It uses the same tag stripping
state machine as the fgetss() function.
I have a html page stored in the mysql database. I get the html from the database and try to replace some of the inline javascript code from the html content. I tried using str_replace() but it does not replace the inline javascript code. I can replace other html content like divs but not inline javascript code.
How can I do find and replace the inline javascript code?
PHP should be seeing the entire HTML page as a big string, so in theory, it should be able to alter JS and HTML alike. Is it possible the string still has slashes, and your str_replace can't find the search criteria due to the slashes?
Try printing the entirety of the string to the screen to make sure, and if it does still have slashes, use a stripslashes($string) call to get rid of them.
You probably want to use a DOM parser to handle your webpage as a DOM structure, not a serialised string of HTML (where things like string replacement and regular expressions can be troublesome).
I have data that is coming in from a rss feed. I want to be safe and use htmlentities but then again if I use it if there is html code in there the page is full of code and content. I don't mind the formatting the rss offers and would be glad to use it as long as I can display it safely. I'm after the content of the feed but also want it to format decently too (if there is a break tag or paragraph or div) Anyone know a way?
Do you want to protect from XSS in the feed? If so, you'll need an HTML sanitizer to run on the HTML prior to displaying it:
HTMLSanitizer
HTMLPurifier
If you just want to escape whatever is there, just call htmlspecialchars() on it. But any HTML will appear as escaped text...
You can use the strip_tags tags function and specify the allowed tags in there:
echo strip_tags($content, '<p><a>');
This way any tag not specified in allowed tags will be removed.
You can transform the HTML into mark down and then back up again using various libraries.