04 December 2013, 7:13

Hi folks.

Hopefully a pretty straight-forward question.

I'm attempting to improve the CPD plugin to by using a WYSIWYG editor rather than a TextArea for the Description. There have been a few similar requests to make the description field of Collections and Plans WYSIWYG too.

Input is simply achieved by replacing the relevant 'textarea' pieform element with a 'wysiwyg'  pieform element (though not found much documentation on this). This is sucessfully stored in the database.

However, when displayed, the html tags have been converted to code, so the content does not display correctly. e.g. <p> ends up as &lt;p&gt;

I presume I need to apply (or not apply!) some form of filter function in the relevant PHP or in the Smarty templates. Any suggestions?

Thanks

04 December 2013, 8:54

After a little trial-and-error, found running the description variable in the tpl file through the 'safe' function seems to work. e.g. $activity->description|safe

Is that the recommended way to do things?

04 December 2013, 9:10

Hi Geoff;

It woud be good if you clean it up before display it like

$activity->description|clean_html|safe

You can see a similar patch at https://reviews.mahara.org/#/c/1207/

Cheers,

Son Nguyen

04 December 2013, 15:17

To sort of expand on what Son said, by default Dwoo passes every variable through the htmlspecialchars() function. If you put "|safe" on the end, it informs Dwoo that it doesn't need to do that. So you're correct, this is the right way to do it.

Although, as Son also pointed out, when you're printing user-entered HTML, you should also pass it through the "clean_html" method, which uses the HTMLPurifier library to try to strip out any malicious code.

(In case you're wondering, you can actually use the "|" in Dwoo to pass a variable through any function that's in the global namespace at the time the template is rendered.)

Cheers,

Aaron

05 December 2013, 9:10

Thanks guys for the clarification :-)