2

I am using the php to generate some html codes

It is in the now ,

<textarea>
<html>
....
</html>
</textarea>

what i would like to do is create a button 'save as html'

When i press on it, it has a windows save as dialog, allow user choose the place to store,

then save to that place when confirm (the dialog should not be create by me, using the windows one.)

Is the workflow is : first i saved a temp html file in my server, then the user open dialog, (I do not need to worry about the 'saving to part' , just need to specific the temp html file path), and when the user close, i delete the temp file. So , how can it be realize? thanks

Thank you again.

Ozzy
  • 8,244
  • 7
  • 55
  • 95
user782104
  • 13,233
  • 55
  • 172
  • 312
  • A document which might be worth reading about file download injection attacks: https://www.aspectsecurity.com/wp-content/plugins/download-monitor/download.php?id=9 – nico Apr 15 '12 at 12:02

3 Answers3

4

You cannot just put an <html> tag into a <textarea> tag, it does not work that way.

I would suggest you use a premade solution such as TinyMCE which will take care of most things for you. Also use something like HTML Purifier to sanitize user input before you save it, as someone could save a malicious script.

The TinyMCE websites has lots of example on how to use it.

nico
  • 50,859
  • 17
  • 87
  • 112
  • I am currently using ckeditor, it is similar thing i belive, are there any save as function provide by them? Thanks – user782104 Apr 15 '12 at 09:55
  • @user782104: I never used ckeditor, but it looks like it would be possible. See for instance: http://goo.gl/4TcWG or http://stackoverflow.com/questions/7777110/can-we-save-ckeditor-data-into-doc-file (and I haven't googled it a lot...) – nico Apr 15 '12 at 10:01
2

You can do that using php header function, like this (assuming your html is posted to this page:

<?php

header('Content-Disposition: attachment; filename="filename.html"');
echo $_POST['html'];
?>

set this php page to be the target of that form and i guess you will be done

EDIT: but you should watch out for possible XSS attacks like Damien Pirsy noted in the comment, you always can sanitize the input though, strip things that are not needed like scripts.

AL-Kateb
  • 2,914
  • 3
  • 20
  • 24
  • 3
    This would be a paradise for XSS attackers, though. Let them create arbitrary html files on your server...well, smells – Damien Pirsy Apr 15 '12 at 09:52
  • you're right, but one can utilize it and sanitize it the way they want, like strip scripts and everything – AL-Kateb Apr 15 '12 at 09:55
  • 2
    Well, that would be a nice integration to your answer – Damien Pirsy Apr 15 '12 at 09:56
  • @AL-Kateb how would you go about that when he's trying to generate a HTML page? – Ozzy Apr 15 '12 at 10:01
  • the question was specific and so was the answer, he has a text area that will have html code, he posted that html code, it got sanitized and sent to the user-agent this would still save the html file just fine, the whole point behind the answer was to point out how to have a save as dialogue as you're asking about that, just be pay attention to the scripts and all – AL-Kateb Apr 15 '12 at 10:05
  • Thanks, you mean when i press the submit button , post the text area to a page with the code you provided? – user782104 Apr 15 '12 at 10:06
  • yea, that's right it the html code in the text area named (html) will be printed and and since the header sent to the browser will show the save as dialogue instead of just displaying the content – AL-Kateb Apr 15 '12 at 10:09
2

PHP is on the server-side don't forget. Once the page is generated, it is on the client. I think it makes more sense to do this sort of thing with javascript, although you could also post the data to a PHP page which would then obtain the data.

Send the 'input' data to a PHP page by POST method:

<form action="savedata.php">
     <input id="someElement" name="someElementName" type="textarea" />
     <input type="submit" />
</form>

Receive it on the PHP end:

# savedata.php

$inputdata = $_POST["someElementName"];
$filename = "somefile.html";
file_put_contents($filename, $inputdata);

Then you could have a link in PHP to download the file.

echo "<a href='".$filename."'>Right-click, Save Target As...</a>";

After that you can delete the file from your server like this:

unlink($filename);

To open a save file dialog - redirect to the file, your browser should open up a save file dialog:

header('Content-type: text/plain'); 
header('Content-disposition: attachment; filename="$filename"');

To view a preview of the file, make an iframe:

echo "<iframe src='$filename' width=600 height=200 frameborder=0 />";
Ozzy
  • 8,244
  • 7
  • 55
  • 95