Escaping html from users

I have a small problem. I'm allowing users to upload caption to an image but since it can be too long I've added a link with "read more" and to show it properly I'm using {!! $string !!} otherwise it will print the HTML tags. On the other side I don't want users to insert HTML code, is there a way to allow it once for me?

bestmomo

10 years ago

Level 52

@itzikbenh maybe you may automatize it at some length.

sitesense

10 years ago

Best Answer

Level 19

Well if you need to allow html at all, you can't use {!! $string !!}. (That's not entirely true - read the 'LAST PART')

The easy, but not recommended way, would be to use strip_tags() on the input, if the Auth::user()->id is not you (or an admin).

The problem with strip_tags() is that it's not 100% reliable. "Partial or broken tags can result in the removal of more data than expected".

I think you need to be looking at HTMLPurifier which is more complicated and needs some setup, but safer. Run the input through that for any user but yourself, or have different configs of HTMLPurifier for admin and regular user.

LAST PART :)

Ok, thinking 'out of the box' you could use {!! $string !!} without any of the above...

Add a flag (column) in your DB like is_safe_html that is set to true (or 1) for the 'caption', only when YOU (or admin) edit/create it.

Then in your view you could use something like this:

@if ($caption->is_safe_html === 1)
    {{{{ $string }}}}
@else
    {!! $string !!}
@endif

Fooking blade formatting in the forum lol... gimme a minute while I figure this out :D OK - I think you can figure this out - just replace '{{{{' and '}}}}' with '{{' and '}}' - sorry, the forum seems to be stripping anything within those brackets.

IsaacBen

10 years ago

Level 7

@sitesense Thanks for the long response. I was playing with the code and I think I found a solution. Since I only need to allow code with html tags from my own editor I applied the escaped strings only on users input.

$caption = htmlspecialchars($images->caption);

And I used the $caption instead so it seems to work

sitesense

10 years ago

Level 19

You Know, actually that's messed up and I got the tags back to front, although the logic is right.

Gonna edit that so anyone reading the answer, please look here:

Well if you need to allow html at all, you can't use {{ $string }} to escape the output. (That's not entirely true - read the 'LAST PART')

The easy, but not recommended way, would be to use strip_tags() on the input, if the Auth::user()->id is not you (or an admin).

The problem with strip_tags() is that it's not 100% reliable. "Partial or broken tags can result in the removal of more data than expected".

I think you need to be looking at HTMLPurifier which is more complicated and needs some setup, but safer. Run the input through that for any user but yourself, or have different configs of HTMLPurifier for admin and regular user.

LAST PART :)

Ok, thinking 'out of the box' you could use {{ $string }} without any of the above...

Add a flag (column) in your DB like is_safe_html that is set to true (or 1) for the 'caption', only when YOU (or admin) edit/create it.

Then in your view you could use something like this:

@if ($caption->is_safe_html === 1)
    {!! $string !!}
@else
    {{{{ $string }}}}
@endif

Fooking blade formatting in the forum lol... gimme a minute while I figure this out :D OK - I think you can figure this out - just replace '{{{{' and '}}}}' with '{{' and '}}' - sorry, the forum seems to be stripping anything within those brackets.

Please or to participate in this conversation.