Hi everyone!
Describing the situation :
On a site, any user can send information for saving in a database through textfields and textareas. By the rules output data should be escaped before displaying in the browser.
But Tinymce makes escaping characters before saving or editing , it means data is entered into the database, such as "Bill" becomes "Bill", so if you use htmlspecialchars on output
data it makes using this function 2 times and appearing something like this - "Bill" on the page.
If you don't use htmlspecailchars on output (because this function has already been used in Tinymce, it is wrong such as escaping text need not to be saved in the database), the input fields
which were filled by users but were not checked by the administrator could be dangerous for output.
The following questions:
1) Is there any way to turn off escaping by htmlspecialchars in grocery cruds Tinymce. The point is in using htmlspecialchars once in the output. For the text from Tinymce I can use HTML Purifier.
What can you advise me?
2) The reason of posting here: I'm not shure that the grocery crud output escaping at all. I understand that admin has no sense to harm his site, but...
I need using callbacks for this stuff, don't I? Is there any sense to escape output in administration panel?
I want to know your opinion
Thank you!