1 Topic by liamdawe (edited by liamdawe 2012-07-04 12:48:24)

  • liamdawe
  • Member
  • Offline

Topic: Confused by the readme and usage with TinyMCE

Hi all I am trying to figure out how to properly use this. I am using it in conjuction with TinyMCE.

I am guessing i have to set the config to allow certain things and dissallow others, but the readme really does confuse me.

The problem I am facing is that when parsing text through the html checker htmlLawed it removes things inside quotes? If I have read the readme right is it because "style" is disallowed by default which is why if someone on TinyMCE does a strike the html does this - style="" and nothing inside the quotes?

I only want to allow Bold, Italic, Underline and Strike using a span style, bullet and numbered lists. Basically everything in the Simple skin of the TinyMCE.

2 Reply by liamdawe

  • liamdawe
  • Member
  • Offline

Re: Confused by the readme and usage with TinyMCE

Luckily i found this post:
http://www.bioinformatics.org/phplabware/forum/viewtopic.php?id=211

You can close this one now.

I would suggest you use that example and create a quick start guide or a htmLawed for dummies thing ;)

3 Reply by liamdawe

  • liamdawe
  • Member
  • Offline

Re: Confused by the readme and usage with TinyMCE

I am now using this by the way since the other topic is closed, any comments?

<?php

// adapted from http://www.bioinformatics.org/phplabware/forum/viewtopic.php?id=211 as the documentation for htmlLawd is highly confusing!

// this needs better commenting to explain what it does step by step (so i can understand it properly too) as its a quick fix to get the editors working and secure enough

require_once('htmLawed.php');



// This function is called from the script that needs it

function parse($text)

{

    global $db;



    $config = array('safe'=>1, 'cdata'=>1, 'comment'=>1, 'deny_attribute'=>'* -href -style', 'elements'=>'a, em, strong, p, hr, br, ul, ol, li, sub, sup, span, div', 'keep_bad'=>0, 'hook_tag' => 'my_css_filter');

    

    $out = htmLawed(stripslashes($text), $config);



    $out = $db->quote_smart($out);



    return $out;

}



// This function is never directly called, it is called in the parse function above

function my_css_filter($element, $attribute_array=0)

{

    // If second argument is not received, it means a closing tag is being handled

    if(is_numeric($attribute_array))

    {

        return "</$element>";

    } 

    

    if (isset($attribute_array['style'])) 

    {

        $css = explode(';', $attribute_array['style']);

        $style = array();

        foreach ($css as $v) 

        {

            if (($p = strpos($v, ':')) > 1 && $p < strlen($v)) 

            {

                $prop_name = trim(substr($v, 0, $p));

                $prop_val = trim(substr($v, $p+1));

                // this list might need adapting if you want to allow different properties

                if ($prop_name == 'color' || $prop_name == 'background-color' || $prop_name == 'font-size' || $prop_name == 'font-family' || $prop_name == 'text-align' || $prop_name == 'text-decoration' || $prop_name == 'padding-left') 

                {

                    $style[] = "$prop_name: $prop_val";

                }

            }

        }

        if (!empty($style))

        {

            $attribute_array['style'] = implode('; ', $style);

        } 



        else 

        {

            unset($attribute_array['style']);

        }

    }

    

    $attributes = '';

    foreach ($attribute_array as $k=>$v) 

    {

        $attributes .= " {$k}=\"{$v}\"";

    }

    

    static $empty_elements = array('br'=>1, 'hr'=>1);

    return "<{$element}{$attributes}". (isset($empty_elements[$element]) ? ' /' : ''). '>';

}

You just call the parse function with your user input text.

4 Reply by patnaik

  • patnaik
  • Administrator
  • Offline

Re: Confused by the readme and usage with TinyMCE

Thanks for the code example. Note that in this line of the code 

$out = htmLawed(stripslashes($text), $config);

, use of stripslashes() should be rationalized otherwise the output may be corrupted. I.e., stripslashes() should be used only if it is needed, with code like 

if(get_magic_quotes_gpc()){
    $text  = stripslashes($text);
}

$out = htmLawed($text, $config);

Also, you probably missed this page on the htmLawed website: htmLawed with TinyMCE.