I was wondering about which way i should do the following. I am using the tiny MCE wysiwyg editor which formats the users data with the right html tags. Now, i need to save this data entered into the editor into a database table.
Should I encode the html tags to their corresponding entities when inserting into the DB, then when i get the data back from the table, not have the encode it for XSS purposes but I’d still have to use eval for the html tags to format the text.
OR
Do i save the html tags into the database, then when i get the data back from the database encode the html tags to their entities, but then as the tags will appear to the user, I’d have to use the eval function to actually format the data as it was entered.
My thoughts are with the first option, I just wondered on what you guys thought.
Neither. You store the HTML “as-is” so when you pull it out its ready fro rendering. You chouldnt be converting back and forth. What you put in should be what you display. What you want to do is filter the input before you put it into the DB. both tinyMCE and ck/fckEditor have facilities to limit the tags that can be used in an editor and it will strip those tags for you. Then you jsut need to perform any other necessary validation or formatting.