This forum is in READ-ONLY mode.
You can look around, but if you want to ask a new question, please use the new forum.
Home » support » General discussion » How to avoid auto escaping for displaying text typped in tinyMCE ?
How to avoid auto escaping for displaying text typped in tinyMCE ? [message #103265] Fri, 30 July 2010 03:06 Go to next message
anxious  is currently offline anxious
Messages: 38
Registered: June 2010
Location: France
Member
Hello,

i've been using, tinyMCE thanks to, [B]sfFormExtraPlugin/[B]

When i create a job on the form, i use simple features of tinyMCE.

When the template displays what i typed, it's echoing that :

<div><?php echo simple_format_text($st_job->getDescription()) ?></div>



<p>Hello</p>
<ul>
<li>it seems that</li>
<li>symfony</li>
<li>prevents html tags</li>
<li>being</li>
<li>parsed</li>
</ul>


What am i supposed to do ? Thank you

[Updated on: Fri, 30 July 2010 03:15]

Re: How to avoid auto escaping for displaying text typped in tinyMCE ? [message #103307 is a reply to message #103265 ] Fri, 30 July 2010 14:50 Go to previous messageGo to next message
esukf  is currently offline esukf
Messages: 65
Registered: December 2006
Member
<div><?php echo simple_format_text($st_job->getDescription(ESC_RAW)) ?></div>


More info here http://www.symfony-project.org/gentle-introduction/1_4/en/07 -Inside-the-View-Layer#chapter_07_output_escaping
Re: How to avoid auto escaping for displaying text typped in tinyMCE ? [message #103314 is a reply to message #103307 ] Fri, 30 July 2010 17:33 Go to previous messageGo to next message
anxious  is currently offline anxious
Messages: 38
Registered: June 2010
Location: France
Member
thank you Wink

does that means that i'll be vulnerable for XSS attacks on the row that i don't escape ? Shocked

[Updated on: Fri, 30 July 2010 17:35]

Re: How to avoid auto escaping for displaying text typped in tinyMCE ? [message #103346 is a reply to message #103314 ] Sat, 31 July 2010 12:19 Go to previous message
esukf  is currently offline esukf
Messages: 65
Registered: December 2006
Member
Yes, you will need to filter the html before it get inserted into your database.
Previous Topic:Showing only Intro text using pagebreak
Next Topic:Test names in exported XML test results
Goto Forum:
  

powered by FUDforum - copyright ©2001-2004 FUD Forum Bulletin Board Software