I’m making a little forum engine on CakePHP based more or less on phpBB.
So, when somebody posts a message, they enter the text in a textarea, and on a beforeSave(), among other actions, the system uses Sanitize::html() to replace the characters to make HTML inputs safe. The problem is that when the user wants to edit the message it should be “encoded back” to plain text so they don’t have to handle this encoding.
But I haven’t found a function that converts from HTML entities to plain text. Is there any function that can do that, either natively in PHP or as part of CakePHP?
Do not sanitize on input, only escape with h() on output. That is the recommended approach.