1

I want to send HTML content by POST. But when fetching it and sanitizing it it also cleans the HTML characters.

$Code = filter_var_array($value, FILTER_SANITIZE_STRING);

WHen I send :

I would like to <strong>Save this data</strong>

I receive :

I would like to Save this data

What should I change to create a safe string?

edit : In my form I have a WYSIWYG editor (FCK Editor) and it's contents is where I am after.

Alex
  • 1,223
  • 1
  • 19
  • 31
  • 1
    Maybe you could use BBCode instead ? – Brewal Jan 20 '15 at 15:44
  • 1
    What are you trying to defend against? SQL Injection and Cross Site Scripting are very different problems, but both involve user input and can be dealt with (poorly) by throwing away chunks of data from the input (as you are currently doing). They also have questions covering them quite well on this site. There are other things you might want to defend against too, but they are less general and depend more on context. – Quentin Jan 20 '15 at 15:45
  • 1
    htmlspecialchars() ? – Amit Verma Jan 20 '15 at 15:47
  • [possible duplicate](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) and a [completely different possible duplicate](http://stackoverflow.com/questions/9826970/prevent-xss-but-allow-all-html-tags) – Quentin Jan 20 '15 at 15:47
  • @AmitThakur — Would render the HTML as text instead of as a strong element. – Quentin Jan 20 '15 at 15:48
  • @Quentin I use FCK Editor that generates HTML content. That's what I try to do. – Alex Jan 20 '15 at 16:02
  • @AlexHakkenberg — HTML is HTML. It doesn't matter where it comes from, all that matters is that it is from outside the system. You are running the HTML through a sanitizing filter, there is presumably a reason you are doing this: What attacks are you trying to defend against? Look at the potential duplicate questions linked above. – Quentin Jan 20 '15 at 16:09

1 Answers1

3

I have used HTMLPurifier which is a PHP filter library to sanitize HTML input.

Basic usage is something like this;

include_once('/htmlpurifier/library/HTMLpurifier.auto.php');
$config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($config);
$clean['htmlData'] = $purifier->purify($_POST['htmlData']);
AeroX
  • 3,387
  • 2
  • 25
  • 39
Mark_1
  • 623
  • 6
  • 16
  • It may be because you've linked off-site without leaving an explanation here. Links are bound to change / die in time, leaving your answer unhelpful down the road. – Charlie Schliesser Jan 20 '15 at 15:52
  • Sorry ,I didnt downvote! but your answer is more like a comment! – Amit Verma Jan 20 '15 at 15:57
  • This is the correct answer. HTML purifying libraries should be used; writing your own would be incredibly difficult. I personally used HTML Purifier, but many other tools could be used on both the initial client and server side (ALWAYS purify on the server as well; never trust data from users!). – Kevin Eaton Jan 20 '15 at 17:11