How should I properly save rich text as a PHP variable in a hidden <input>?

Question

I have a rich text editor (tinyMCE specifically) in a textarea and I'm saving the HTML contents of that textarea into a PHP variable, as well as saving it in a hidden input field. I'm wondering how I can make this both secure and functional, especially with apostrophes or quotation marks that conflict with my hidden input.

I've tried using htmlspecialchars and htmlspecialchars_decode, but it's not fully working as sometimes I'll get random backslashes in the output (thus it's not properly functioning.) However, this does seem to prevent issues with apostrophes or quotation marks conflicting with the HTML of the hidden input field.

Is there a perfect solution? I'm thinking about TryIt Editor, and how it can display html elements as well as apostrophes or quotation marks with no problems (as far as I know). How can I do something like that in my rich text editor?

Answer 1

I was on the right track thinking to use htmlspecialchars, I just needed to take it one step further and also use stripslashes. This removed the backslashes I were getting from htmlspecialchars.

So something like:

$content = htmlspecialchars($_POST["textarea"]);

And then when I needed to output it, something like this:

$htmlcode1 = "<html> \n <body>";
$htmlcode2 = "</body> \n <html>";
$somecontent = htmlspecialchars_decode(stripslashes($htmlcode1.$content.$htmlcode2));

Hope this helps someone else out in the future!