I know the rich text editor is like the DZ Forum, as seen in the resulting.
1: But I always have a question, not to say that the data submitted by the client to filter it, or is not XXS, DZ is UBB way to deal with it?
2: Those rich text editor, after the last commit to the server, those that contain HTML code, can be stored directly in the database, it must not allow users to do so?
3: What is the principle of this markdown editor, such as SF, does it have the HTML,JS code that we entered in the background database?
4: There are like the DZ forum users post, vote what, this editor inside is how, do not understand, find the source of processing and can not find ...
I have been using the text box before, the background directly filter all the tags, it is so simple, but this can only have ordinary text, no DZ as user post as powerful, now want to use a rich text editor, but do not know how the PHP background with rich text editor docking, such as Baidu, Or this editor of SF.
Then the rich Text editor to insert the picture, that is the upload image, and then return to the image address, inserted into the content, that dz of the upload attachment, the picture in the post will be lazy loading it, how this is achieved, if the direct IMG tag inserted into the content of the implementation of it, Or what is the placeholder for a picture or something, then JS operation attachment Data ...
Do not understand, I hope the master to explain to me, I know the principle to see the code should be a lot simpler, thank you!
Reply content:
I know the rich text editor is like the DZ Forum, as seen in the resulting.
1: But I always have a question, not to say that the data submitted by the client to filter it, or is not XXS, DZ is UBB way to deal with it?
2: Those rich text editor, after the last commit to the server, those that contain HTML code, can be stored directly in the database, it must not allow users to do so?
3: What is the principle of this markdown editor, such as SF, does it have the HTML,JS code that we entered in the background database?
4: There are like the DZ forum users post, vote what, this editor inside is how, do not understand, find the source of processing and can not find ...
I have been using the text box before, the background directly filter all the tags, it is so simple, but this can only have ordinary text, no DZ as user post as powerful, now want to use a rich text editor, but do not know how the PHP background with rich text editor docking, such as Baidu, Or this editor of SF.
Then the rich Text editor to insert the picture, that is the upload image, and then return to the image address, inserted into the content, that dz of the upload attachment, the picture in the post will be lazy loading it, how this is achieved, if the direct IMG tag inserted into the content of the implementation of it, Or what is the placeholder for a picture or something, then JS operation attachment Data ...
Do not understand, I hope the master to explain to me, I know the principle to see the code should be a lot simpler, thank you!
The HTML code is stored directly in the database, and what the user writes is stored.
The various editors generate HTML code and then click the code that submits the HTML.
Is there any doubt about that?
HTML has a pre tag, do you create it?
To prevent JS injection.
Very simple, PHP output to the front end, with the Str_replace function, <替换成& lt;(去掉空格),把=""> replace the & gt, (remove space) and so on.
Please Baidu "HTML special character code".
Ensure that the label does not work, the JS code will not be executed is finished.
The simplest and most brutal way to defend against XSS attacks is to use Htmlspecialchars to replace special characters with (&,",',<,>)
HTML entities (&"'<>)
after output.
$html = str_replace(array("\r\n", "\r", "\n"), '
', $html);echo $htm;
The above implementation is very simple and safe, and the display is very refreshing. The editor just textarea a normal text box.
The most complicated way to defend against XSS attacks is to write regular filters yourself, but fortunately there are htmlpurifier libraries, in addition to filtering XSS code, but also to complete or remove incomplete tags.
purify($html);
You can define some HTML features by BBCode or markdown tags, such as BBCode:
[b]粗体文字[/b][color=#FF0000]红色文字[/color][img=PunBB bbcode test]http://127.0.0.1:8080/punbb/img/test.png[/img] [url=http://127.0.0.1:8080/punbb/]PunBB forum[/url]
The user enters the BBCode tag in the text box, the output of the page BBCode is replaced with HTML, after htmlpurifier filtered safe output.
The SF editor is the markdown syntax editor, where the source code is:
A well-structured, easy-to-maintain, modern PHP markdown Parser
I also saw the internet with that kind of editor, Tangled