Rich-text formatting in PHP: HTML, Markdown, rich-text editors like TinyMCE and doing it securely

Рет қаралды 10,324

Күн бұрын

PHP for Beginners course: ➤ davehollingworth.net/phpy
PHP MVC course: ► davehollingworth.net/phpmvcy
CodeIgniter 4 course: ► davehollingworth.net/codeigni...
In an HTML form, a textarea element is used to collect a sizeable amount of text. You can enter more text than a regular text input, but it's still just plain text. In this video we'll look at how to allow the user of a form to add formatting to the content. We'll also learn how to do it securely to avoid code injection. We'll look at using HTML directly, using a plain-text markup language like Markdown, and using a rich-text editor in the browser like TinyMCE.
Resources:
daringfireball.net/projects/m...
packagist.org/packages/erusev...
www.tiny.cloud/
www.php.net/manual/en/functio...
htmlpurifier.org/
Code shown in the video:
gist.github.com/daveh/b93ca07...
00:00 Intro
01:13 Allowing HTML
02:38 Markdown
05:52 Rich-text editors
10:28 Using strip_tags
12:46 Using HTMLPurifier
16:29 Summary

Пікірлер: 28

@edwardbabatunde 3 ай бұрын

Straight to the point. Very impressive. Thanks for sharing

@SAIEN333 3 ай бұрын

thank you, this was very easy to understand

@ShubhamMishra-uw9yi 3 жыл бұрын

You are born to be a teacher 🙏

@savanaassasinandy716 Жыл бұрын

Thank you a million times over!!

@lianna5483 3 жыл бұрын

Thank you very much for this video ! It's cristal clear !

@belowsurfacemedia Жыл бұрын

love this! most relaxed tutorial ever :D

@malekfarag5134 3 жыл бұрын

This is awesome omg

@itsHan 2 жыл бұрын

Thanks alot sir you really deserve 1m+ subs

@yazilimci_adam Жыл бұрын

Thank you very much boss.

@ademineshat 3 жыл бұрын

Nice one 👌

@MT-ox3gz 2 жыл бұрын

Thank you very much

@giantjam4918 3 жыл бұрын

I was searching for adding this feature , thank you so much , Cant i add it using html and css only ? For adding it in an onion service ?

@dave-hollingworth 3 жыл бұрын

You can use markdown with HTML only in the browser, but you do need to have a markdown parser on the server to process it into HTML. If you want a rich-text editor like TinyMCE, then I'm not aware of any that don't use JavaScript I'm afraid.

@giantjam4918 3 жыл бұрын

@@dave-hollingworth thank you brilliant

@g7k993 3 жыл бұрын

Hey Dave thank you for the video. Quick question that’s bugging me, what’s the difference between htmlspecialchars(), htmlentities and the html purifier you’ve used? Future video ideas: I’m not sure if you have any small crud app in your playlist ( binge watching it rn). For example: “ Hotel booking system, car rental crud app or restaurant online ordering ) simple page with just a table, search form and a picture to explain how crud works. The secrete being “real life application”. That sort of videos appeal to many different audience.

@dave-hollingworth 3 жыл бұрын

Basically htmlspecialchars is for when you want to escape something to display it in HTML. HTML purifier is used to remove unwanted tags and attributes completely. There's a good description here: learnwebtutorials.com/difference-between-htmlentities-and-htmlspecialchars-in-php I don't have a CRUD series right now but that's a good idea, I'll make a note of it!

@pablokaram6342 2 жыл бұрын

Hi Dave!, im using twig and i notice that automatically resolve the issue with the HTML special chars, (with the | raw) incidator actived, however if i change the style attribute directly in the strong tag, it doesn't purify and appears red, my question is, how can i use the purifier library with twig, of it exists some solution with the twig templates?

@dave-hollingworth 2 жыл бұрын

There's a package here that might help: github.com/Exercise/HTMLPurifierBundle

@sumanparajuli229 3 жыл бұрын

Sir create a video on.. medication tracker and notification on given timeframe with php...

@dave-hollingworth 3 жыл бұрын

Always looking for video ideas - please could you be a bit more specific? I tend to prefer videos that explain a single topic, so for example "how to send notifications using SMS" for example. If you can suggest simple topics like that I'll be happy to consider a video on it! Thanks

@BlueDolphinBlues Жыл бұрын

Thanks, this is very helpful. What about stripping php?

@dave-hollingworth Жыл бұрын

Any PHP code wouldn't be executed as it would be sent to the browser - you could strip it using a regular expression though if you wanted

@BlueDolphinBlues Жыл бұрын

@@dave-hollingworth in my application the posted data would be stored and then presented as a blog. I want to give the user some ability to script without allowing them to return any session variables or information about the host.

@dave-hollingworth Жыл бұрын

@@BlueDolphinBlues I'd be hesitant about giving the user script abilities - you'd have to parse the code to make sure there wasn't anything unexpected in there, which I think would be very difficult to make sure it was safe. I'm not aware of any parsers like the HTML one that allow you to strip code from PHP code. Alternatively, you could use a templating engine like Twig or something like Markdown that allow additional functionality but don't expose PHP to the user.

@BlueDolphinBlues Жыл бұрын

@@dave-hollingworth I completely agree.