<p>Glow your own: Comb jellies make<br>&nbsp;<br>their own glowing compounds<br>&nbsp;<br>instead of getting them from food<br>News</p>
<p>12.10.20</p>
<p><br>The researchers raised several generations of comb jellies, including Mnemiopsis leidyi, in captivity feeding them only organisms that did not contain coelenterazine. Photo by William Browne.<br>Glow your own: Comb jellies make their own glowing compounds instead of getting them from food</p>
You said:
I used tinymce to enter this snippet into my database via a textarea input form. While in the form, it renders perfectly. When I pull search results, it renders with a lot of character entities. How can I get the rendered page to render the characters?
You said:
Here is my rendering code:
<?php
include 'database.php';
function h($s) { return htmlspecialchars($s ?? '', ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8'); }
// SAFER: validate the id to avoid SQL injection (per ChatGPT 11/2/2025)
$content_id = filter_input(INPUT_GET, 'content_id', FILTER_VALIDATE_INT);
if ($content_id === null || $content_id === false) { die('Bad content_id'); }
$sql = "SELECT *
FROM sources
JOIN authors ON sources.author_id = authors.author_id
JOIN content ON sources.source_id = content.source_id
WHERE content.content_id = ?";
$stmt = mysqli_prepare($connection, $sql);
mysqli_stmt_bind_param($stmt, 'i', $content_id);
mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);
$row = mysqli_fetch_assoc($result);
// Assign variables
$content = $row['content'] ?? '';
$source_id = (int)($row['source_id'] ?? 0);
$timeline_title = $row['timeline_title'] ?? '';
$project_id = $row['project_id'] ?? '';
$date_published = $row['date_published'] ?? '';
$source_title = $row['source_title'] ?? '';
$author_name = $row['author_name'] ?? '';
$author_id = (int)($row['author_id'] ?? 0);
$primary_doc = $row['primary_doc'] ?? '';
$published_in = $row['published_in'] ?? '';
$race_described = $row['race_described'] ?? '';
$full_text = $row['full_text'] ?? '';
$online_link = $row['online_link'] ?? '';
$start_date = $row['start_date'] ?? '';
$end_date = $row['end_date'] ?? '';
$filename_received = $row['filename_received'] ?? '';
$filename_assigned = $row['filename_assigned'] ?? '';
// Build a safe edit URL
$edit_qs = http_build_query([
'content_id' => $content_id,
'timeline_title' => $timeline_title,
]);
$edit_url = "../pages/content_update.php?$edit_qs";
// Output (escape text, keep pre-wrap for formatting)
echo
"Date Published: " . h($date_published) . "<br>" .
"Source: <a href='source.php?source_id=" . $source_id . "'>" . h($source_title) . " (ID" . $source_id . ")</a><br>" .
"Author: " . h($author_name) . " (ID" . $author_id . ")<br>" .
"Primary doc? " . h($primary_doc) . "<br>" .
"Published in: " . h($published_in) . "<br>" .
"Race described: " . h($race_described) . "<br>" .
"Full text? " . h($full_text) . "<br>" .
"Online link: " . ( $online_link ? "<a href='" . h($online_link) . "' target='_blank' rel='noopener'>" . h($online_link) . "</a>" : "" ) . "<br>" .
"Content id: " . $content_id . "<br>" .
"Filename received: " . h($filename_received) . "<br>" .
"Filename assigned: " . h($filename_assigned) . "<br>" .
h($start_date) . " - " . h($end_date) . "<br>" .
"<h3>" . h($timeline_title) .
"<a href='" . h($edit_url) . "'><img src='../images/edit20.png' alt='edit'></a><br></h3>" .
"<div style='white-space: pre-wrap;'>" . h($content) . "</div>";
// SQL SELECT * FROM Crossrefs
echo "<h3>Cross references</h3>";
$sql = "SELECT *
FROM crossrefs
WHERE $content_id = content_id_1 OR $content_id = content_id_2;
";
$result = mysqli_query($connection, $sql);
// while($row = mysqli_fetch_assoc($result))
// { echo $row['crossref_id'] . "<br>"; }
// Assign variables for cross references - START WHILE
while($row = mysqli_fetch_assoc($result))
{
$crossref_id = $row['crossref_id'];
$content_id_1 = $row['content_id_1'];
$content_id_2 = $row['content_id_2'];
// echo "content_id: " . $content_id . "<br>" .
// "crossref_id: " . $crossref_id."<br>" .
// "content_id_1: " . $content_id_1."<br>" .
// "content_id_2: " . $content_id_2."<br>";
if ($content_id == $content_id_1) {
$other_content_id = $content_id_2;
} else {
$other_content_id = $content_id_1;
}
// SQL SELECT * FROM Sources and Content for cross reference (other content_id)
$sql = "SELECT *
FROM sources
JOIN authors
ON sources.author_id = authors.author_id
JOIN content
ON sources.source_id = content.source_id
WHERE content.content_id= $other_content_id;
";
// Reassign variables for cross-reference content
$crossRefContentResult = mysqli_query($connection, $sql);
$row = mysqli_fetch_assoc($crossRefContentResult);
$content = nl2br($row['content']);
$source_id = nl2br($row['source_id']);
// Display cross-reference Source and Content data
echo
"<h3>".$row['timeline_title']."</h3>" . "<br>"
. "Date Published: " . $row['date_published'] . "<br>"
. "Source: " . "<a href='source.php?source_id=$source_id'>" . $row['source_title'] . " (ID". $row['source_id'] . ") </a><br>"
. "Author: " . $row['author_name'] . " (ID". $row['author_id'] . ") <br>"
. "Content_id: " . $row['content_id'] . "<br>"
. $content;
}
You said:
My database 'content' field should only contain text. It already contains 76000 medium text records. To eliminate images, I have copied source material and pasted as text only (shift-ctrl-v) into a plain textarea field. I now want to type directly into that field using formatting. I want to protect the input field from XSS
You said:
You said, "Make sure you're not encoding on insert. Before I installed TinyMCE, I protected my database with htmlspecialchar() on every input field. This is my entire input statement for the form that contains the new TinyMCE content field. Your suggestion to replace that with a prepared statement seems to be in a different language.
<?php
// Connect to database
include "database.php";
// Get source ID from POST array
$project_id = htmlspecialchars($_POST['project_id']);
$timeline_title = htmlspecialchars($_POST['timeline_title']);
$start_date = htmlspecialchars($_POST['start_date']);
$end_date = htmlspecialchars($_POST['end_date']);
$content = $_POST['content'];
$source_id = htmlspecialchars($_POST['source_id']);
$filename_received = htmlspecialchars($_POST['filename_received']);
$filename_assigned = htmlspecialchars($_POST['filename_assigned']);
$sql = "INSERT INTO
content
(source_id,
project_id,
timeline_title,
start_date,
end_date,
content,
filename_received,
filename_assigned)
VALUES
('$source_id',
'$project_id',
'$timeline_title',
'$start_date',
'$end_date',
'$content',
'$filename_received',
'$filename_assigned'
);";
mysqli_query($connection, $sql);
header("Location: ../pages/source.php?source_id=$source_id");
You said:
I checked HTML Purifier's website. Chrome says it is not a secure page. The most recent news post is four years old. I don't want to depend on outside software. Is the installation local and standalone, or does it call out to its developers?
You said:
I will install HTML Purifier. What is the difference between clone and download zip from Github?
You said:
The download file is called htmlpurifier-master. Is that different than the htmlpurifier you are referring to?
You said:
I renamed and installed HTML Purifier. Should I add the require line to every php page that includes input forms?
You said:
content_add_run.php
File
I am attaching my data processing page. Why is the data still appearing the database with these html entity codes:
<p><strong>Welcome to AI for Work and Life</strong></p>
You said:
why is this code rendering marked up text rather than browser-formatted?
<?php
echo "<div class='collapsible'>
<a href='../pages/content.php?content_id=$content_id'><span class='littledate'>
$start_date</span>
$timeline_title </a></div>"
. "<div class='content'>$content</div>";
You said:
yes
You said:
If TinyMCE only allows clean HTML, why do I still need HTML Purifier?
You said:
I have uploaded the HTML Purifier file set to a folder called 'supports' in my root folder. Walk me through updating my form handlers to use it.
You said:
content_update_run.php
File
The input form works perfectly with your modifications. Here is the corresponding update form handler. Rewrite it to match the input form with the new improvements.
ChatGPT can make mistakes. Check important info.