Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Hello,
I started using TinyMCE and currently the only validation rule I have is string (and min/max).
But is it correct? Are there any more important validation rules I need to add to the input?
From what I've seen, the <script> tags are already stripped
Ty!
In terms of rules I think what your are doing it's ok. If you want to implement more logic around this you can use the HTML Purifier package (ezyang/htmlpurifier) or other similar to eliminate any potential XSS attacks.
This is an example of one of my implementations
$request->validate([
'editorContent' => [
'required',
'string',
'max:3000', // Adjust the value to suit your requirement
],
]);
You'll also most likely want to filter out HTML as the suggestions from @dualklip will allow anything.
https://github.com/stevebauman/purify is good and will give you fine grained control over what is and isn't allowed.
Ultimately, I'm all for only storing safe and expected HTML in my database.
Please or to participate in this conversation.