HTML5 data- attribute stripped on saving html to DB using editor field::inst
HTML5 data- attribute stripped on saving html to DB using editor field::inst
I need to store some simple html data in a DB, but I cant quite understand why i am losing certain tags. I log the data before it is passed into the editor server side processing and compare with the saved DB data.
use
DataTables\Editor,
DataTables\Editor\Field,
DataTables\Editor\Format,
DataTables\Editor\Join,
DataTables\Editor\Upload,
DataTables\Editor\Validate;
Log (json_encode($_POST));
Output from the html input form
{"action":"edit","data":{"row_3":{"htmlData":"<p style=\"text-align: center;\"> <span style=\"font-size: 14pt;\" data-tag=\"1\">My text<\/span><\/p>"}}}
// Build our Editor instance and process the data coming from _POST
$editProcess = Editor::inst($db, 'htmlTable', 'id');
$editProcess->fields(
Field::inst('htmlData')
);
$editProcess->process($_POST);
$editProcess->json();
Inserted into the DB
<p style="text-align: center;"><span style="font-size: 14pt;">My text</span></p>
So it either doesn't like html5 attributes or stripping tags without telling me?? Cant find anything in the documentation about this....
Help needed as I can't find an answer anywhere. (Hoping someone sees my question as searching for Editor based Q&A seems a little lost in the DataTables forums.
Thanks
Edited by Allan - Syntax highlighting. Details on how to highlight code using markdown can be found in this guide.
This question has an accepted answers - jump to answer
Answers
Hi,
Thanks for posting this. The issue here appears to stem from the library that the Editor PHP libraries use to protect against XSS attacks - frustratingly it is stripping the HTML5 data attributes.
There is a new version of that library which I've wrapped up into a suitable class and can be obtained here. Simply copy all of that code and use it to replace the contents of
php/Vendor/htmLawed/htmLawed.php
in your Editor directory. That will resolve the issue.Also it is a beta version of htmLawed I've not noticed any issues with it myself. As soon as it goes stable (which should be soon, as from their site the plan was to release a stable version of 1.2 this year - 2015) I'll be packaging it up into Editor and likely issue a new release.
The other option would be to disable the XSS protection which you can do by chaining
->xss( false )
onto the field initialisation option, but obviously its better if we can protect against XSS attacks.Regards,
Allan
Thanks for the quick response. And the tested and working fix.
(And thanks for the link to post new forum requests)