I have a form with multiple textarea fields, for some of which I use HTMLText type. I provide the users with a very stripped down version of TinyMCE for those. (buttons for bold, italic, setting links only)
If someone turned javascript off though, they could just put html in there, and it would all get accepted, including scripts.
The data in the forms is displayed on another page. So I guess there are two issues here, how to store it in the database, and how to display what is stored in the database.
I think I would probably be happy for people to write any kind of HTML, as long as everything in script tags will be removed. So that would actually be more like a blacklist really. I am wondering how best to achieve that.
Has anybody come across this problem, or got an idea how best to approach this? Are there any in-built methods in Silverstripe for this? Or would it be enough to just write some code to remove <script>..</script> from input of those fields? [edit]: Of course it is more complicated than that as I have just seen http://stackoverflow.com/questions/2698079/strip-script-tags-and-everything-in-between-with-php :( But do i really need to use HTMLPurifier?
Thanks,
Katja