Although, as Son also pointed out, when you're printing user-entered HTML, you should also pass it through the "clean_html" method, which uses the HTMLPurifier library to try to strip out any malicious code.
(In case you're wondering, you can actually use the "|" in Dwoo to pass a variable through any function that's in the global namespace at the time the template is rendered.)
Cheers,
Aaron
]]>It woud be good if you clean it up before display it like
$activity->description|clean_html|safe
You can see a similar patch at https://reviews.mahara.org/#/c/1207/
Cheers,
Son Nguyen
]]>Is that the recommended way to do things?
]]>Hopefully a pretty straight-forward question.
I'm attempting to improve the CPD plugin to by using a WYSIWYG editor rather than a TextArea for the Description. There have been a few similar requests to make the description field of Collections and Plans WYSIWYG too.
Input is simply achieved by replacing the relevant 'textarea' pieform element with a 'wysiwyg' pieform element (though not found much documentation on this). This is sucessfully stored in the database.
However, when displayed, the html tags have been converted to code, so the content does not display correctly. e.g. <p> ends up as <p>
I presume I need to apply (or not apply!) some form of filter function in the relevant PHP or in the Smarty templates. Any suggestions?
Thanks
]]>