text editor inside a form textarea ?

**WebRod** · Jul 17 '05, 11:14 AM

Re: text editor inside a form textarea ?

euh...
echo "<textarea name='field1'>$ yourfield</textarea>";

??

Rod

"Hal Halloway" <Halloway@nospa m.net> a écrit dans le message de news:
zvCLd.1479$Kj4. 1311@trnddc09.. .[color=blue]
>I want a text editor inside a form's textarea,
>
> So I would see html markup and html entities - just like a text editor. I
> also would want to be able to edit it all just like a text editor - this
> is done in PHPMyadmin for example...is there an easy way to do this?
>
> In a way i'm asking the browser to suspend rendering markup.[/color]

**Michael Vilain** · Jul 17 '05, 11:15 AM

Re: text editor inside a form textarea ?

In article <41ff3d63$0$262 12$7a628cd7@new s.club-internet.fr>,
"WebRod" <nomail@bouygte l.fr> wrote:
[color=blue]
> euh...
> echo "<textarea name='field1'>$ yourfield</textarea>";
>
> ??
>
> Rod
>
> "Hal Halloway" <Halloway@nospa m.net> a écrit dans le message de news:
> zvCLd.1479$Kj4. 1311@trnddc09.. .[color=green]
> >I want a text editor inside a form's textarea,
> >
> > So I would see html markup and html entities - just like a text editor. I
> > also would want to be able to edit it all just like a text editor - this
> > is done in PHPMyadmin for example...is there an easy way to do this?
> >
> > In a way i'm asking the browser to suspend rendering markup.[/color][/color]

I've see such things but they're written in Javascript and only work on
IE:

404 Not Found

http://sniptools.com/dhtml_editor.php

--
DeeDee, don't press that button! DeeDee! NO! Dee...

**Justin Koivisto** · Jul 17 '05, 11:15 AM

Re: text editor inside a form textarea ?

Hal Halloway wrote:
[color=blue]
> I want a text editor inside a form's textarea,
>
> So I would see html markup and html entities - just like a text editor.
> I also would want to be able to edit it all just like a text editor -
> this is done in PHPMyadmin for example...is there an easy way to do this?
>
> In a way i'm asking the browser to suspend rendering markup.[/color]

I think this is what you are after:
<textarea><?p hp echo htmlentities($t he_code_string) ?></textarea>

That way, all HTML code will not be rendered (because "<" is replaced
with "<" etc.), but it will show up as if you were viewing the source
of the document...

If that's not what you are after, take a look at this:

404 Not Found

http://www.koivi.com/WYSIWYG-Editor/

**WebRod** · Jul 17 '05, 11:16 AM

Re: text editor inside a form textarea ?

> I think this is what you are after:[color=blue]
> <textarea><?p hp echo htmlentities($t he_code_string) ?></textarea>
>
> That way, all HTML code will not be rendered (because "<" is replaced with
> "<" etc.), but it will show up as if you were viewing the source of the
> document...
>[/color]

Actually you don't need to use htmlentities.
Because it is already in <textarea></textarea> it works fine!
So:
<textarea><?p hp echo $the_code_strin g ?></textarea>
OR
<?php echo htmlentities($t he_code_string) ?>
But no need of:
<textarea><?p hp echo htmlentities($t he_code_string) ?></textarea>

Rod

**Daniel Tryba** · Jul 17 '05, 11:16 AM

Re: text editor inside a form textarea ?

WebRod <nomail@bouygte l.fr> wrote:[color=blue]
> Actually you don't need to use htmlentities.
> Because it is already in <textarea></textarea> it works fine!
> So:
> <textarea><?p hp echo $the_code_strin g ?></textarea>
> OR
> <?php echo htmlentities($t he_code_string) ?>
> But no need of:
> <textarea><?p hp echo htmlentities($t he_code_string) ?></textarea>[/color]

So what will happen is $the_code_strin g just happens to have the string
"</textarea>" in it?

Not escaping is the first step towards XSS.

**Justin Koivisto** · Jul 17 '05, 11:16 AM

Re: text editor inside a form textarea ?

Sorry if this posts twice, but it didn't show up through my reader, so
I had to use GG...

Unless you have another textarea in it....

<?php
$string='<b>Thi s</b> has a textarea: <textarea></textarea> This is bad
for the page.';
?>
<textarea><?p hp echo $string ?></textarea>

Also, I think that if you don't use htmlentities it won't validate via
W3C.

**Dani CS** · Jul 17 '05, 11:16 AM

Re: text editor inside a form textarea ?

WebRod wrote:[color=blue][color=green]
>>I think this is what you are after:
>><textarea><?p hp echo htmlentities($t he_code_string) ?></textarea>
>>
>>That way, all HTML code will not be rendered (because "<" is replaced with
>>"<" etc.), but it will show up as if you were viewing the source of the
>>document...
>>[/color]
>
>
> Actually you don't need to use htmlentities.
> Because it is already in <textarea></textarea> it works fine!
> So:
> <textarea><?p hp echo $the_code_strin g ?></textarea>
> OR
> <?php echo htmlentities($t he_code_string) ?>
> But no need of:
> <textarea><?p hp echo htmlentities($t he_code_string) ?></textarea>[/color]

Never omit htmlentities when outputting untrusted content to your pages.
It doesn't matter where you place it, it can be harmful even inside an
HTML comment.

**WebRod** · Jul 17 '05, 11:17 AM

Re: text editor inside a form textarea ?

> Never omit htmlentities when outputting untrusted content to your pages.[color=blue]
> It doesn't matter where you place it, it can be harmful even inside an
> HTML comment.[/color]

yes, you're perfectly right!!
I was thinking only about "format" tags like <h1>,<font> etc etc.

but you're right, it's always better to use htmlentities!!
I apologize for my wrong answer :(

Rod

**drdaeman** · Jul 17 '05, 11:17 AM

Re: text editor inside a form textarea ?

This works OK and is XSS-safe:

<textarea><?p hp echo htmlspecialchar s($string); ?></textarea>

Or, if you want, that even if due to impossibility to represent some
characters in document charset browser had encoded them into &#nnn;
form they anyway will be shown as they were typed:

<textarea><?p hp echo preg_replace('/&(#\d{1, 5}|[a-z]{1,10});/i',
'&\1;', htmlspecialchar s($string)); ?></textarea>

Both examples works fine in IE and Mozilla Firefox. Second example will
make some problems with Opera versions before 7.5 and there it'll be
hard to use &#-encodings for characters outside the document's charset.

text editor inside a form textarea ?

text editor inside a form textarea ?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment