^
Update this timeline entry
Added HTML Purifier to WYSIWIG editor
Source: Amy and ChatGPT #1356
Project ID
Chapter
No chapter
Timeline title
Start date
End date
Filename received
Filename assigned
Content
Enable editor
Use plain text
Code entry
<p>Glow your own: Comb jellies make<br> <br>their own glowing compounds<br> <br>instead of getting them from food<br>News</p> <p>12.10.20</p> <p><br>The researchers raised several generations of comb jellies, including Mnemiopsis leidyi, in captivity feeding them only organisms that did not contain coelenterazine. Photo by William Browne.<br>Glow your own: Comb jellies make their own glowing compounds instead of getting them from food</p> You said: I used tinymce to enter this snippet into my database via a textarea input form. While in the form, it renders perfectly. When I pull search results, it renders with a lot of character entities. How can I get the rendered page to render the characters? You said: Here is my rendering code: $content_id, 'timeline_title' => $timeline_title, ]); $edit_url = "../pages/content_update.php?$edit_qs"; // Output (escape text, keep pre-wrap for formatting) echo "Date Published: " . h($date_published) . "
" . "Source:
" . h($source_title) . " (ID" . $source_id . ")
" . "Author: " . h($author_name) . " (ID" . $author_id . ")
" . "Primary doc? " . h($primary_doc) . "
" . "Published in: " . h($published_in) . "
" . "Race described: " . h($race_described) . "
" . "Full text? " . h($full_text) . "
" . "Online link: " . ( $online_link ? "
" . h($online_link) . "
" : "" ) . "
" . "Content id: " . $content_id . "
" . "Filename received: " . h($filename_received) . "
" . "Filename assigned: " . h($filename_assigned) . "
" . h($start_date) . " - " . h($end_date) . "
" . "
" . h($timeline_title) . "
" . "
" . h($content) . "
"; // SQL SELECT * FROM Crossrefs echo "
Cross references
"; $sql = "SELECT * FROM crossrefs WHERE $content_id = content_id_1 OR $content_id = content_id_2; "; $result = mysqli_query($connection, $sql); // while($row = mysqli_fetch_assoc($result)) // { echo $row['crossref_id'] . "
"; } // Assign variables for cross references - START WHILE while($row = mysqli_fetch_assoc($result)) { $crossref_id = $row['crossref_id']; $content_id_1 = $row['content_id_1']; $content_id_2 = $row['content_id_2']; // echo "content_id: " . $content_id . "
" . // "crossref_id: " . $crossref_id."
" . // "content_id_1: " . $content_id_1."
" . // "content_id_2: " . $content_id_2."
"; if ($content_id == $content_id_1) { $other_content_id = $content_id_2; } else { $other_content_id = $content_id_1; } // SQL SELECT * FROM Sources and Content for cross reference (other content_id) $sql = "SELECT * FROM sources JOIN authors ON sources.author_id = authors.author_id JOIN content ON sources.source_id = content.source_id WHERE content.content_id= $other_content_id; "; // Reassign variables for cross-reference content $crossRefContentResult = mysqli_query($connection, $sql); $row = mysqli_fetch_assoc($crossRefContentResult); $content = nl2br($row['content']); $source_id = nl2br($row['source_id']); // Display cross-reference Source and Content data echo "
".$row['timeline_title']."
" . "
" . "Date Published: " . $row['date_published'] . "
" . "Source: " . "
" . $row['source_title'] . " (ID". $row['source_id'] . ")
" . "Author: " . $row['author_name'] . " (ID". $row['author_id'] . ")
" . "Content_id: " . $row['content_id'] . "
" . $content; } You said: My database 'content' field should only contain text. It already contains 76000 medium text records. To eliminate images, I have copied source material and pasted as text only (shift-ctrl-v) into a plain textarea field. I now want to type directly into that field using formatting. I want to protect the input field from XSS You said: You said, "Make sure you're not encoding on insert. Before I installed TinyMCE, I protected my database with htmlspecialchar() on every input field. This is my entire input statement for the form that contains the new TinyMCE content field. Your suggestion to replace that with a prepared statement seems to be in a different language.
$start_date
$timeline_title
" . "
$content
"; You said: yes You said: If TinyMCE only allows clean HTML, why do I still need HTML Purifier? You said: I have uploaded the HTML Purifier file set to a folder called 'supports' in my root folder. Walk me through updating my form handlers to use it. You said: content_update_run.php File The input form works perfectly with your modifications. Here is the corresponding update form handler. Rewrite it to match the input form with the new improvements. ChatGPT can make mistakes. Check important info.
Replace existing data with this data