1

I have a field in the form that contains HTML, so I use htmlspecialchars before displaying it to the user, so it actually shows up like HTML (with tags), so something like this

//in my php script, right after I get the values from the database
$someVar = htmlspecialchars($someVar);

//inside html (I use Smarty template)
<input id="someVar" name="someVar" type="text" size="50" value="{$someVar}"></input>

Now the problem happens when the user submits the form, somehow tags are lost on the page submit and I simply get the text (interpreted HTML) written to the database.

How do I successfully allow the user to edit fields that contain HTML tags?

halfer
  • 19,824
  • 17
  • 99
  • 186
sarsnake
  • 26,667
  • 58
  • 180
  • 286
  • Confirm that this is the case. I doubt it is. You are probably looking at some debugging output in your browser, and the browser is interpreting the HTML. Either that, or you have some filter on your server trying to prevent XSS or something. If this is the case, then show us the relevant PHP code, and the dump of `$_POST` or something. – Brad Dec 03 '12 at 04:26
  • i think http://stackoverflow.com/questions/12613762/saving-and-displaying-html-and-special-characters-in-a-mysql-database-safely and http://stackoverflow.com/questions/46483/htmlentities-vs-htmlspecialchars will help you – NullPoiиteя Dec 03 '12 at 04:27
  • No Brad, I am not looking at debugging output. I am looking at the form input field that now contains bold text instead of bold tags. When I spit POST out before I save it to the database, the tags appear stripped already. So it happens between form submit and spitting out POST - ie, in a place that I have no control of. – sarsnake Dec 03 '12 at 04:55
  • Perhaps I will re-phrase the question. How do I allow the user edit input fields that contain html tags and make sure that they are saved in the database as text containing html tags? – sarsnake Dec 03 '12 at 04:56
  • @NullPointer, it's not a safety issue that I wondering about here, it's the functionality. – sarsnake Dec 03 '12 at 04:57

0 Answers0