How to realise safe text editor for editing content?

If you are populating the text into the innerHTML of lets say a div, it allows a user to write html and display it as HTML later. However, if you don't want to let people inject HTML you can use the innerText instead. InnerText works just like innerHTML but does not hit the HTML parser If you plan on using bb code or markdown you would parse the text for the code that needs to be converted and leave the rest as text You could also use regex parser to convert special characters to the HTML code equivalent then the bb code or markdown to html Try this: When saving to the database: Replace known well formatted html with bb code replacing be with be However ill formatted html will remain as typed be will stay be Then do a regex replace on all HTML special characters ( ie ) Then when retrieving from the database, you replace the bb code with html and you are all set.

If you are populating the text into the innerHTML of lets say a div, it allows a user to write html and display it as HTML later. However, if you don't want to let people inject HTML you can use the innerText instead. InnerText works just like innerHTML but does not hit the HTML parser.

If you plan on using bb code or markdown you would parse the text for the code that needs to be converted and leave the rest as text. You could also use regex parser to convert special characters to the HTML code equivalent then the bb code or markdown to html Try this: When saving to the database: Replace known well formatted html with bb code replacing with b. However ill formatted html will remain as typed will stay .

Then do a regex replace on all HTML special characters ( ie ) Then when retrieving from the database, you replace the bb code with html and you are all set.

Yeap, I understand the difference between innerHTML and innerText. But if I use innerText than how to display data which is keeped in HTML-way in database?... about html parsing using regex - I heard - this is bad idea... – Innuendo Jul 8 at 13:30 What I mean by using regex to convert "special characters" is to replace any with it's entity code. This will prevent any written html from being used as markup.

This will allow you to use innerHTML without the fear of injected HTML. It is a 2 step process. Remove the unwanted then parse the rest of the text and convert the bb code into html.

– Utilitron Jul 8 at 14:34 But with wysiwyg editor I save my content in html-way (I have , for bold, etc). Changing all into their entity codes makes markup useless. I shouldn't change all .

– Innuendo Jul 8 at 15:00 How about a tokenizer? En.wikipedia. Org/wiki/Tokenizer#Tokenizer - If you know what you don't want the users to use, ie and , you can check each token for malicious text.

But you may run into problems with . – Utilitron Jul 8 at 15:31.

I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.