问题描述:

I have this text editor on a wordpress blog and I want to use HTML Purifier to purify users' input before inserting into database. The text editor is an iframe so I get the content by using

 document.getElementById("comments_comments").value=$("#textEditor").contents().find("body").html();

when users click on the submit button.

I follow the basic instruction from html purifier like this:

 if (isset($_SESSION["user"]) && $_SESSION["user"] != "")

{

require_once '/path/to/HTMLPurifier.auto.php';

$config = HTMLPurifier_Config::createDefault();

$purifier = new HTMLPurifier($config);

$comments = $purifier->purify($_POST["comments"]);

$sql = $wpdb->prepare ("INSERT INTO mytable SET comments = %s",array($comments));

$wpdb->query($sql);

}

But the code doesn't have any effect at all. I was expecting the <script> tags completely removed, but they are still stored in the database as & lt ;script & gt ; which I think is the work of the wpdb prepare statement. Does the above configuration not work with $_POST? Any help would be appreciated.

网友答案:

First make sure, you realy disallow this tag:

$config->set('HTML.ForbiddenElements', ['script']));

You talking about ending with this in the database:

& lt ;script & gt ;

Are you sure, you don't already use htmlspecialchars()? Maybe with something like this?

foreach ($_POST as $key => $value) {
    $_POST[$key] = htmlspecialchars($value)
}

I am 99,99 % sure, it has nothing to do with the database. If you would do var_dump($comment) instead of inserting to a database, it would be the same.

相关阅读:
Top