allow html in "TinyMce" textarea and display message as html in email

**kyle** · 25-Jul-2011, 09:33 PM

I have a TinyMCE editor script in my form which allows users to add html tags to their message (kind of like this post).

When I receive the email (and in the autoresponder email) though, the html tags are converted, So I literally get something like:

"Hi there"

which translates to:

" Hi there "

Any way to fix that?

http://www.candpgeneration.com/contact.php

**russellr** · 26-Jul-2011, 01:14 AM

Hi,

FormMail isn't doing this on your form as it's a straight plain text email you're sending. You can only get HTML if you instruct FormMail to use an HTML template (but see below).

Therefore, I think TinyMCE is doing this conversion (which actually makes perfect sense).

Check out this FAQ item: http://tinymce.moxiecode.com/wiki.php/TinyMCE_FAQ#TinyMCE_strip_away_attributes_or_tags_from_my_source.3F

Even if TinyMCE *didn't* do this, FormMail would do it with field values (even when using an HTML template) because it's a security problem.

For example, if an attacker could submit HTML in your form, this means they could submit code that hides or obfuscates information and make you vulnerable to attack. In the worst case, they could send you JavaScript code that executed in your mail client, or browser, and who knows what they could achieve!

Currently, the only safe thing to do is to encode any HTML entities.

Of course, for harmless stuff like , and , this is too stringent.

Version 8.29 has a new configuration feature called TEXT_SUBS, which we implemented to allow special fields (like template_list_sep) to safely contain HTML strings.

A future version could conceivably utilize this feature to allow input from TinyMCE to be shown the way you want in HTML emails.

**colchiro** · 22-Aug-2011, 10:21 PM

I'm also having this problem using jQuery WYSIWYG plug-in.

If I post w/o FormMail, it works fine, but with FormMail, I get ascii encoded characters.... < turns into <

I can see where sending html is not valid for most fields, but I'd like to enable it for just one.

**russellr** · 23-Aug-2011, 07:26 AM

Hi,In an HTML email it's just not safe to send through < input via the form.It has to be translated to < for security reasons.If your email program is not showing it as

**colchiro** · 23-Aug-2011, 12:16 PM

Hi Russell, thanks for the quick reply.

Unfortunately, not using FormMail, is even riskier/less attractive.

We use Outlook, which has some security of it's own, so feel leaving one field unprotected is a compromise we can live with.

The form I have setup is quite large (printed is 4 pages) with easily around 100 fields so not easy to add just the fields we want protected. (I think I saw that option.)