Forums

The forums ran from 2008-2020 and are now closed and viewable here as an archive.

Home Forums Back End Style text in text field

  • This topic is empty.
Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • November 15, 2013 at 9:02 pm #156232
    Anonymous
    Inactive

    I’m working on an admin panel for a blog and i want to be able to style the text in the text field when writing a new blog post. I want to be able to add bold, italic, links and other styles without going into the code. i want it to be similar to the comment styling here on css-tricks.
    where i can actually add HTML tags in the text field to style the text.

    helloworld

    I;m not exactly sure how to do this though. Any ideas?

    November 16, 2013 at 12:42 am #156241
    __
    Participant

    Use a WYSIWYG editor, such as CKEditor or TinyMCE.

    My personal “new favorite” is Hallo — it’s awesome, but it might not be what you need. There’s a lot more to handle yourself than with some other options.

    November 16, 2013 at 12:29 pm #156266
    Anonymous
    Inactive

    Wow. I just discovered that html tags already work. I guess the text is confused for code when i add any html tag. very convenient.

    November 16, 2013 at 4:38 pm #156274
    __
    Participant

    Wow. I just discovered that html tags already work. I guess the text is confused for code when i add any html tag. very convenient.

    nonono, not “convenient.” risky.

    This means that you’re simply saving the submitted text “as-is”, which means you are vulnerable to XSS attacks. You need to validate and sanitize the data when it is submitted. There are tools, like HTMLpurifier, that can help you do this.

    November 16, 2013 at 9:52 pm #156280
    Anonymous
    Inactive

    Thanks. Although would it mater if i mentioned that it’s only through the admin panel that i will be styling my text? website visitors wont have access to the admin panel and they can only add comments to blog posts using DISQUS. Or would i still need HTML purifier?

    November 16, 2013 at 10:38 pm #156283
    __
    Participant

    website visitors wont have access to the admin panel

    Just to clarify:

    Most times people say this, what is meant is that a user can’t access the page (and therefore, the form) unless they’re logged in as an admin. This doesn’t solve anything, however. With a little research, I can send a POST request that looks like your form without even visiting your site.

    The solution is to do the verification when the form is submitted, not when it is served. Using a validation token to identify your forms allows you to recognize, for example, when someone submits a form that is too old, has been used before, or was not even created by you in the first place.

    would i still need HTML purifier?

    If you’re careful, no, it’s not strictly necessary. However, if you are allowing any HTML input, it is still A Good Idea.

  • Author
    Posts
Viewing 6 posts - 1 through 6 (of 6 total)
  • The forum ‘Back End’ is closed to new topics and replies.