Forums | Mahara Community

Developers /
Display of content entered with 'wysiwyg' pieformd element


Geoff Rowland's profile picture
Posts: 108

04 December 2013, 7:13 AM

Hi folks.

Hopefully a pretty straight-forward question.

I'm attempting to improve the CPD plugin to by using a WYSIWYG editor rather than a TextArea for the Description. There have been a few similar requests to make the description field of Collections and Plans WYSIWYG too.

Input is simply achieved by replacing the relevant 'textarea' pieform element with a 'wysiwyg'  pieform element (though not found much documentation on this). This is sucessfully stored in the database.

However, when displayed, the html tags have been converted to code, so the content does not display correctly. e.g. <p> ends up as &lt;p&gt;

I presume I need to apply (or not apply!) some form of filter function in the relevant PHP or in the Smarty templates. Any suggestions?

Thanks

 

Geoff Rowland's profile picture
Posts: 108

04 December 2013, 8:54 AM

After a little trial-and-error, found running the description variable in the tpl file through the 'safe' function seems to work. e.g. $activity->description|safe

Is that the recommended way to do things?

Son Nguyen's profile picture
Posts: 28

04 December 2013, 9:10 AM

Hi Geoff;

It woud be good if you clean it up before display it like

$activity->description|clean_html|safe

You can see a similar patch at https://reviews.mahara.org/#/c/1207/

Cheers,

Son Nguyen

Aaron Wells's profile picture
Posts: 896

04 December 2013, 3:17 PM

To sort of expand on what Son said, by default Dwoo passes every variable through the htmlspecialchars() function. If you put "|safe" on the end, it informs Dwoo that it doesn't need to do that. So you're correct, this is the right way to do it.

Although, as Son also pointed out, when you're printing user-entered HTML, you should also pass it through the "clean_html" method, which uses the HTMLPurifier library to try to strip out any malicious code.

(In case you're wondering, you can actually use the "|" in Dwoo to pass a variable through any function that's in the global namespace at the time the template is rendered.)

Cheers,

Aaron

Geoff Rowland's profile picture
Posts: 108

05 December 2013, 9:10 AM

Thanks guys for the clarification :-)

5 results