XF 2.3 Safely handling WYSIWYG content

[stromb0li]

What is the best practice for saving and retrieving content from the editor (wyswiyg form control) to prevent XSS attacks?

Is the recommendation to santize upon save?
XF::app()->stringFormatter()->sanitizeHtml($content);

 

[Jeremy P]

Render the editor HTML to BBCode.

// controller
$editorPlugin = $this->plugin(\XF\ControllerPlugin\EditorPlugin::class);
$bbCode = $editorPlugin->convertToBbCode($html);

// elsewhere
$bbCode = \XF\Html\Renderer\BbCode::renderFromHtml($html);
$bbCode = \XF::cleanString($bbCode);

 

[stromb0li]

Sorry to be verbose, but in this case, I store HTML from the editor as is in the database and then convert to BBCode on render each time?

 

[Jeremy P]

Ideally you should store the BBCode and then convert that to HTML on render. The controller plugin has a built-in method for capturing the WYSIWYG input as BBCode for an entity or whatever.

 

[stromb0li]

I tried referencing your code, but receive an error that the method controller is undefined.

// controller
$editorPlugin = $this->controller(\XF\ControllerPlugin\EditorPlugin::class);
$bbCode = $editorPlugin->convertToBbCode($html);

Then I tried calling the item statically, but that is prohibited:
$bbCode = \XF\ControllerPlugin\EditorPlugin::convertToBbCode($html);

Error: Non-static method XF\ControllerPlugin\EditorPlugin::convertToBbCode() cannot be called statically in src/addons/MyAddon/Pub/Controller/MyController.php at line 506

Is there another way to call the controller?

 

[Jeremy P]

It's a plugin and not a controller, I have revised my post with the correct method for fetching a plugin.

 

[stromb0li]

Thank you!