I have used wmd-editor in my cakephp v1.3 application.
The config which I have written is as follows:
wmd_options = {
output: "HTML",
lineLength: 40,
buttons: "bold italic | link blockquote code image | ol ul heading hr",
autostart: true
};
When I submit the form the HTML in the wmd enabled textarea is saved in the database with htmlentities() done to the text then it is decoded with html_entity_decode() method automatically.
but the text is displayed as it is including the HTML coding like this
<p><strong>hello dear friends</strong></p> <pre><code>I want to make sure that everything that you type is visible clearly. adasfafas </code></pre> <blockquote> <p>sadgsagasdgxcbxcbxc</p> </blockquote> <p><em>sadfgsgasdsgasgs</em></p> <p><b><a href="http://kumu.in">this is the link</a></b></p>
Please help me solve this problem
Thanks
Since you have set the option as output: "HTML", is is saved as html, however you can use the strip_tags function to remove html tags from the text.
For sanitization against XSS its generally better to save raw HTML in database without modification and sanitize at the time of output/display. Use Sanitize core library.