text editor inside a form textarea ?

euh...
echo "<textarea name='field1'>$yourfield</textarea>";

??

Rod

"Hal Halloway" <Ha******@nospam.net> a écrit dans le message de news:
zvCLd.1479$Kj4.1311@trnddc09...

I want a text editor inside a form's textarea,

So I would see html markup and html entities - just like a text editor. I
also would want to be able to edit it all just like a text editor - this
is done in PHPMyadmin for example...is there an easy way to do this?

In a way i'm asking the browser to suspend rendering markup.

In article <41***********************@news.club-internet.fr>,
"WebRod" <no****@bouygtel.fr> wrote:

euh...
echo "<textarea name='field1'>$yourfield</textarea>";

??

Rod

"Hal Halloway" <Ha******@nospam.net> a écrit dans le message de news:
zvCLd.1479$Kj4.1311@trnddc09...

I want a text editor inside a form's textarea,

So I would see html markup and html entities - just like a text editor. I
also would want to be able to edit it all just like a text editor - this
is done in PHPMyadmin for example...is there an easy way to do this?

In a way i'm asking the browser to suspend rendering markup.

I've see such things but they're written in Javascript and only work on
IE:

http://sniptools.com/dhtml_editor.php

--
DeeDee, don't press that button! DeeDee! NO! Dee...

Hal Halloway wrote:

I want a text editor inside a form's textarea,

So I would see html markup and html entities - just like a text editor.
I also would want to be able to edit it all just like a text editor -
this is done in PHPMyadmin for example...is there an easy way to do this?

In a way i'm asking the browser to suspend rendering markup.

I think this is what you are after:
<textarea><?php echo htmlentities($the_code_string) ?></textarea>

That way, all HTML code will not be rendered (because "<" is replaced
with "&lt;" etc.), but it will show up as if you were viewing the source
of the document...

If that's not what you are after, take a look at this:
http://www.koivi.com/WYSIWYG-Editor/

> I think this is what you are after:

<textarea><?php echo htmlentities($the_code_string) ?></textarea>

That way, all HTML code will not be rendered (because "<" is replaced with
"&lt;" etc.), but it will show up as if you were viewing the source of the
document...

Actually you don't need to use htmlentities.
Because it is already in <textarea></textarea> it works fine!
So:
<textarea><?php echo $the_code_string ?></textarea>
OR
<?php echo htmlentities($the_code_string) ?>
But no need of:
<textarea><?php echo htmlentities($the_code_string) ?></textarea>

Rod

WebRod <no****@bouygtel.fr> wrote:

Actually you don't need to use htmlentities.
Because it is already in <textarea></textarea> it works fine!
So:
<textarea><?php echo $the_code_string ?></textarea>
OR
<?php echo htmlentities($the_code_string) ?>
But no need of:
<textarea><?php echo htmlentities($the_code_string) ?></textarea>

So what will happen is $the_code_string just happens to have the string
"</textarea>" in it?

Not escaping is the first step towards XSS.

Sorry if this posts twice, but it didn't show up through my reader, so
I had to use GG...
Unless you have another textarea in it....

<?php
$string='<b>This</b> has a textarea: <textarea></textarea> This is bad
for the page.';
?>
<textarea><?php echo $string ?></textarea>

Also, I think that if you don't use htmlentities it won't validate via
W3C.

WebRod wrote:

I think this is what you are after:
<textarea><?php echo htmlentities($the_code_string) ?></textarea>

That way, all HTML code will not be rendered (because "<" is replaced with
"&lt;" etc.), but it will show up as if you were viewing the source of the
document...

Actually you don't need to use htmlentities.
Because it is already in <textarea></textarea> it works fine!
So:
<textarea><?php echo $the_code_string ?></textarea>
OR
<?php echo htmlentities($the_code_string) ?>
But no need of:
<textarea><?php echo htmlentities($the_code_string) ?></textarea>

Never omit htmlentities when outputting untrusted content to your pages.
It doesn't matter where you place it, it can be harmful even inside an
HTML comment.

> Never omit htmlentities when outputting untrusted content to your pages.

It doesn't matter where you place it, it can be harmful even inside an
HTML comment.

yes, you're perfectly right!!
I was thinking only about "format" tags like <h1>,<font> etc etc.

but you're right, it's always better to use htmlentities!!
I apologize for my wrong answer :(

Rod

This works OK and is XSS-safe:

<textarea><?php echo htmlspecialchars($string); ?></textarea>

Or, if you want, that even if due to impossibility to represent some
characters in document charset browser had encoded them into &#nnn;
form they anyway will be shown as they were typed:

<textarea><?php echo preg_replace('/&amp;(#\d{1,5}|[a-z]{1,10});/i',
'&\1;', htmlspecialchars($string)); ?></textarea>

Both examples works fine in IE and Mozilla Firefox. Second example will
make some problems with Opera versions before 7.5 and there it'll be
hard to use &#-encodings for characters outside the document's charset.