How to sanitize HTML POST values of NicEdit?

Question

I recently started to use NicEdit on my "Article Entry" page. However, I have some questions about security and preventing abuse.

First question: I currently sanitize every input with "mysql_real_escape_string()" in my database class. In addition, I sanitize HTML values with "htmlspecialchars(htmlentities(strip_tags($var))).

How would you sanitize your "HTML inputs" while adding them to database, or the way I'm doing it works perfect?

Second question: While I was making this question, there was a question with "similar title" so I readed it once. It was someone speaking about "abused HTML inputs" to mess with his valid template. (e.g just input)

It may occur on my current system too. How should it be dealt with in PHP?

Ps. I want to keep using NicEdit, so using BBCode system should be the last advice.

Thank you.

Answer 1

1. mysql_real_escape_string is not sanitization, it escapes text values to keep the syntax of the SQL query valid/unambiguous/injection safe.
2. strip_tags is sanitizing your string.
3. Doing both htmlentities and htmlspecialchars in order is overkill and may just garble your data. Since you're also stripping tags right before that, it's double overkill.
4. The rule is to make sure your data doesn't break your SQL syntax, therefore you mysql_real_escape_string once before putting the data into the query. You also do the same thing, protecting your HTML syntax, by HTML escaping text before outputting it into HTML, using either htmlspecialchars (recommended) or htmlentities, not both.
5. For a much more in-depth excursion into all this read The Great Escapism (Or: What You Need To Know To Work With Text Within Text).
6. I don't know NicEdit, but I assume it allows your users to style text using HTML behind the scenes. Why are you stripping the HTML from the data then? There's no point in using a WYSIWYG editor then.

Answer 2

This is a function I am using in one of my NICEDIT applications and it seems to do well with the code that comes out of nicedit.

function cleanFromEditor($text) { 

    //try to decode html before we clean it then we submit to database
    $text = stripslashes(html_entity_decode($text));

    //clean out tags that we don't want in the text
    $text = strip_tags($text,'<p><div><strong><em><ul><ol><li><u><blockquote><br><sub><img><a><h1><h2><h3><span><b>');

    //conversion elements
    $conversion = array(
        '<br>'=>'<br />',
        '<b>'=>'<strong>',
        '</b>'=>'</strong>',
        '<i>'=>'<em>',
        '</i>'=>'</em>'
    );

    //clean up the old html with new
    foreach($conversion as $old=>$new){
        $text = str_replace($old, $new, $text);
    }   

    return htmlentities(mysql_real_escape_string($text));
}