i have been working with a RTE and my current cleaning function trim(strip_tags(stripslashes())). I use PDO for inserting data in to the database, so i am not one hundred % sure on how i should go with the RTE text area input. I am not sure how i should clean that input, or if i should just use htmlenties to display it in a safe way in the website.
If you use PDO's prepared statements to protect your database from injection, and you then use htmlentities to protect your users from XSS attacks, then you ought to be fine.
As for "cleaning that input", this will only work when you know exactly what is going to be allowed and you either filter out everything else, or detect and infringement and abort that operation -- so called Filtering Input (FIEO)
e.g. a phone number. You might permit spaces, dashes, round brackets and numbers.
For a free for all text area you face an impossible task, so you simply have to protect each environment from attack by Escaping Output. (FIEO)
This topic is now closed. New replies are no longer allowed.