2

So what is happening is I have a content editable DIV that i would like to be able to put code into and then hit save! I can do this with normal text and it saves fine, but when trying to save code it saves it as &lt ;img&gt ; instead of <img>

Here is the code I am using to save the text to a file:

<?php
$news = $_POST['data'];
$myfile = fopen("../News/newspagedata.php", "w") or die("Unable to open file!");
fwrite($myfile, $news);
fclose($myfile);
?>

Any Help would be greatly appreciated!

asked Feb 17, 2015 at 21:08
7
  • 4
    We have no idea what is being sent to server, or what expected results should be. Please provide full details Commented Feb 17, 2015 at 21:14
  • For Example: The Crapaud Community Hall is looking for musicians, bands, improv groups, and stand up comedians to perform on its beautiful stage. For Bookings Contact Ida at 393-6822 or use the bookings page above!! <img> This is sent to the server, and i want it to save exactly like that, so if i opened the page it is saved to it would result in the text followed by the img, but it currently saves as The Crapaud ... bookings page above!! & l t ; img & g t ; Commented Feb 17, 2015 at 21:21
  • I don't know why people are complaining about his question. He is clearly confused on why his HTML elements are being escaped. What more information do you possibly need? Commented Feb 17, 2015 at 21:25
  • Thanks @Jakobud , I'm not sure why they were either, i just new it was converting them to character codes and i wasn't sure how to stop it! Commented Feb 17, 2015 at 21:31
  • Had I not properly edited the OP's code in the first place, nobody would have figured it out, unless they went into "edit" mode to see the actual characters the OP posted. So yeah "Thanks Fred" ;-) - but when trying to save code it saves it as "<img>" instead of "" as per stackoverflow.com/revisions/28571145/1 Commented Feb 17, 2015 at 21:34

1 Answer 1

2

It looks like either your Javascript or PHP is converting special characters into HTML entities so you need to do this:

$news = html_entity_decode($_POST['data']);

Please note that this leaves you 100% vulnerable to things such as this:

<script>
var i = 0;
while(i < 1){
 // execute some code inifinitely
}
</script>
answered Feb 17, 2015 at 21:22
Sign up to request clarification or add additional context in comments.

6 Comments

This is the correct answer. Ignore the people who are too dense to understand the question.
Upon doing this the file will no longer save?
Nevermind! This does work correctly, I forgot a ' when i retyped it! Thanks a lot!
@MarkShaw glad to hear you got it working! You had me completely stumped as to why it stopped saving the file lol. Please heed my warning about the javascript injection though
Yes, i do understand your warning, this is all behind a login system though so unless that is broken into we should not have any issues! Thanks a lot!
|

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.