- This topic is empty.
-
AuthorPosts
-
November 15, 2013 at 9:02 pm #156232AnonymousInactive
I’m working on an admin panel for a blog and i want to be able to style the text in the text field when writing a new blog post. I want to be able to add bold, italic, links and other styles without going into the code. i want it to be similar to the comment styling here on css-tricks.
where i can actually add HTML tags in the text field to style the text.helloworld
I;m not exactly sure how to do this though. Any ideas?
November 16, 2013 at 12:42 am #156241__ParticipantUse a WYSIWYG editor, such as CKEditor or TinyMCE.
My personal “new favorite” is Hallo — it’s awesome, but it might not be what you need. There’s a lot more to handle yourself than with some other options.
November 16, 2013 at 12:29 pm #156266AnonymousInactiveWow. I just discovered that html tags already work. I guess the text is confused for code when i add any html tag. very convenient.
November 16, 2013 at 4:38 pm #156274__ParticipantWow. I just discovered that html tags already work. I guess the text is confused for code when i add any html tag. very convenient.
nonono, not “convenient.” risky.
This means that you’re simply saving the submitted text “as-is”, which means you are vulnerable to XSS attacks. You need to validate and sanitize the data when it is submitted. There are tools, like HTMLpurifier, that can help you do this.
November 16, 2013 at 9:52 pm #156280AnonymousInactiveThanks. Although would it mater if i mentioned that it’s only through the admin panel that i will be styling my text? website visitors wont have access to the admin panel and they can only add comments to blog posts using DISQUS. Or would i still need HTML purifier?
November 16, 2013 at 10:38 pm #156283__Participantwebsite visitors wont have access to the admin panel
Just to clarify:
Most times people say this, what is meant is that a user can’t access the page (and therefore, the form) unless they’re logged in as an admin. This doesn’t solve anything, however. With a little research, I can send a POST request that looks like your form without even visiting your site.
The solution is to do the verification when the form is submitted, not when it is served. Using a validation token to identify your forms allows you to recognize, for example, when someone submits a form that is too old, has been used before, or was not even created by you in the first place.
would i still need HTML purifier?
If you’re careful, no, it’s not strictly necessary. However, if you are allowing any HTML input, it is still A Good Idea.
-
AuthorPosts
- The forum ‘Back End’ is closed to new topics and replies.