CKeditor outputs html. How to convert it for saving?

I am using CKeditor, and this is my code:

       ...othercode..
    
      
     <div class="input-field col s12">
                        <textarea id="textarea1" class="materialize-textarea"></textarea>
                        <label for="textarea1">Body of the Post</label>
                    </div>
                    <input type="submit" name="Submit" id="sub">
                </form>
            </div>
        </div>
    </div>
    {{else}}
    <div>You are not logged in.</div>
    {{/if}}
    <script>
    CKEDITOR.replace('textarea1');
    </script>

In Javascript, I use the same id to extract the text from the textarea, because I have to save it to collection. (Notice the handlebars.)

When I do that, It returns the html code, and that is saved as a string inside collection, and the handlebar doesnt do anythign and displayed the same html, without giving meaning to the html tags, i.e., just lame html.

How can this be converted to string anywhere, so that, the {{body}} handlebar shows exactly how it was typed inide CKeditor, and not what the backend of ckeditor returns.

Are you using SimpleSchema and Collection2?

On the Server:

I am not using SimpleSchema. I am just using the basic syntax Posts = new Mongo.Collection("posts");.

And then using

Posts.insert({body:bodyVar

})

where bodyVar is extracted using jQuery.

In your template, use triple-staches, i.e. {{{body}}}, to display the html.

WARNING
By doing this, you are exposing yourself / your users to XSS attacks. You have to be really careful about sanitiziting your html before storing it in the db. As a starting point, perhaps look into djedi:sanitize-html.

Sanitization usually is a client-side operation, performed before injecting to {{{ }}}. To know more about this, Google the following: validation vs sanitization.
As far as I know, there is only one available Meteor package for that: vazco:universe-html-purifier.

What does the attack mean?

Why does the HTML need to be purified before saving? I am ultimately putting it inside the html anyway, then why does the purification step is inevitable?

A corrupted client could send to the server some malicious HTML (for example with Javascript to be executed on other clients to steal sensitive data). So you need to sanitize the HTML, either on the server when receiving the data, on the server when sending the data back to other clients, or on the client before injecting into the {{{ }}}.

1 Like

Alright. I’ll use the packages referenced. Thanks.

They basically do the same thing. Use one or the other.

I’d probably recommend (without looking too deeply into it) using vazco:universe-html-purifier, as it works on server and client (djedi:html-sanitizer is server only, if I remember right).