Html in my database!

Question

I am faced with something I dont know where to start with.

I currently have a news section on my website, the news is added into the database. However, it's very dull and has no formatting!

How can I allow the admin thats adding news to make things bold or underlined and have colour etc. Will it be possible to save this in the database as I usually do.

Sorry if it's a really silly question, but it's something I haven't come across before!

Thanks

Answer 1

Whilst you can put HTML in your database and display it directly without the normal encode step that you would use outputting text into HTML, I wouldn't recommend it unless you absolutely trust everyone that'll be entering content.

I mean trust not just as in security (because anyone who can insert HTML into your page will be able to take over other users' usage of the site via script-injection), but also competence: it only takes one stray unclosed <div> or other similar markup mistake to completely hose the page layout.

One possibility is to vet incoming HTML submissions using a strong HTML tidier and ‘purifier’ to allow only known-safe markup. This is a tricky job, so use an existing library to do it. Alternatively, and perhaps more usably, you can provide a simple markup language of your own. For example *italic*, **bold**, http:​//www.example.com/ -> italic, bold, http://www.example.com/.

There are lots of these little markup languages about. The one Stack Overflow uses, that I'm typing in this box right now, is called Markdown.

(Markdown's not my favourite, primarily because in the usual implementation it also allows HTML content inside the markup itself, which is a bit ugly and causes problems here when people try to talk about tags without putting them in `-quotes. But it's a popular example; there are many more: bbcode, reST, Textile etc...)