WYSIWYG editor also in Add FAQ page for non logged users

[galerio]

Is there a way to enable WYSIWYG editor also for non logged users in the Add Faq page?
FAQ posted by users are just plain text, without nothing and an admin must do all the job to transform it in a decent way with link, paragraph and all other things.

[Thorsten]

Hi,

you could add the WYSIWYG editor but do you think about security issues letting everyone posting HTML content to your FAQ?

bye
Thorsten

[galerio]

I enabled TinyMCE, but the html tags are removed when I submit a new FAQ as non logged user.
How can I mantain the html code and also only permit certain code (example only allowed code are br, b, u, ul, li, img and so on)?

Thanks

[Thorsten]

Hi,

you have to change some code in save.php.

You have to change the line

http://github.com/thorsten/phpMyFAQ/blo ... ve.php#L41

to

Code: Select all

$content = PMF_Filter::filterInput(INPUT_POST, 'content', FILTER_SANITIZE_STRING);

bye
Thorsten

[galerio]

I have modifyed it but nothing changed, the text is saved without any html tag.
And also now, even if I have checked the Active button of a new faq, it doesn't appear on the site, I must modify that faq and click on save to see it in the public website.

The site is 1e2.it/faq

[Thorsten]

Hi,

okay, just take a look into admin/record.add.php for which filter you will need.

bye
Thorsten

[galerio]

Hi,
I tried several times, but I'm not able to find the right way to modify record.add.php. Can you help me, please?

Anyway, a suggestion for future release can be a filter that enable only certain html tags like b, ul, li, s... just like in a forum.

[Thorsten]

Hi,

it's this line of code:

Code: Select all

$content = PMF_Filter::filterInput(INPUT_POST, 'content', FILTER_SANITIZE_SPECIAL_CHARS);

I think about a save solution for enabling HTML support.

bye
Thorsten

[galerio]

I have already tried to comment out that line or to use FILTER_VALIDATE_INT or other type of filter but no success.

[Thorsten]

Hi,

FILTER_VALIDATE_INT cannot work because it checks for integer values. The code above works.

bye
Thorsten

[galerio]

The code above is the original code, so it doesn't work.

[Thorsten]

Hi,

if you comment that code out, it cannot work. You have to use FILTER_SANITIZE_SPECIAL_CHARS instead of the current FILTER_SANITIZE_STRING, otherwise all HTML will be removed.

bye
Thorsten

[galerio]

Ok, so I have only to modify save.php and use instead of line 41

Code: Select all

$content     = PMF_Filter::filterInput(INPUT_POST, 'content', FILTER_SANITIZE_SPECIAL_CHARS);

and the admin/record.add.php should remain the same, so the line 50 is

Code: Select all

$content       = PMF_Filter::filterInput(INPUT_POST, 'content', FILTER_SANITIZE_SPECIAL_CHARS);

In this way it works perfectly. Thank you.

[Thorsten]

Hi,

good.

bye
Thorsten

[galerio]

To secure the wysiwyg editor from html attacks there are valid method:
http://framework.zend.com/manual/en/zen ... input.html
http://htmlpurifier.org/
and the one I'm going to implement HTMLawed: http://www.bioinformatics.org/phplabwar ... /htmLawed/