Field values set via API and sanitizing

[pwFoo]

User input should be sanitized...

If I use CKEditor at PW admin to change a field value it should be sanitized by CKEditor Advanced Content Filter (ACF) and HTML Purifier (activated at CKEditor Settings).

At the moment I play with frontend edit solutions.

1. Frontend form (based on form api and PW inputfields) with a custom save process (set and save field value with PW api)
2. Inline edit (jquery plugins jEditable, x-editable, jinplace) and a custom save process (see above)

So the values not saved by the PW admin / backend process and would be saved without sanitizing in both ways above... right?

[SiNNuT]

You're right. Depending on what you want to allow you should use the $sanitizer options, for html maybe the purifier, which can be used via the module, or your own stuff.

http://cheatsheet.processwire.com/#sanitizer

http://modules.processwire.com/modules/markup-htmlpurifier/

[pwFoo]

Thanks, 

I always use $sanitizer, but now need to use purifier the first time.

So I want to know if it is really needed or implemented into the field save process based on field type.

[SiNNuT]

To my knowledge purifier does not run when saving textarea via api in your own forms. So you should do it yourself, according to needs.

I'm not sure how it works when using PW inputfields outside of the admin(solution 1). I never done that. Should be easy to test.