Hi,
I have a php classifieds script where the user can place ads, however, it doesn't strip any HTML, so fonts can be changed, pictures added, etc...
How do I change this to strip any HTML from the user's input, or at the very least not allow it to process?
Thanks,
- Carolein your script you should be able to deny certin calls/syntaxing for files. depending on what your script is for, most have options for limits.
open for suggestions
chris<pixelmonkey>:monkey:what server side scripting are you using? What we do is we parse the textarea before we save it. We do an extended search and replace. I look for a number of general HTML tags, and replace them with "" (nothing). I have used Javascript to do this client side BEFORE the form even gets to server side.
In any event, its not too hard to do it. An easier way would be to look for just < and > and replace them with "". Or you could send up JS alerts to tell the user that HTML is not allowed, and also clear out the textarea.
If I have some time this evening, I'll see what client side I can do.Hi Doc...
they are using PHP.
In PERL the standard pattern to remove HTML code (and only HTML code) is to pattern match and substitute as follows:
$value =~ s/<([^>]|\n)*>//g;
can be used as a global substitution or can be used on any input field to allow HTML in some but not in other.
"=~" binds the pattern match returns true
"s" tells PERL to substitute what is between the slahes /subthis/withthis/
"g" tells perl to replace all instances of the match found in the string
Regards,
KevinDR. WEb, missing the obvious!
Anyway, here is the client side version. All it does is allow you to paste in some HTML in the left textarea. Then press "tab" or click somewhere. In the right side, the text is parsed, and all "<" and ">" 's are removed... nulling the HTML.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Untitled</title>
<script language=javascript>
function change(){
var entry=document.form1.textEntry.value;
//the regExpObj is the actual pattern for matching//
var pattern=new RegExp("[<->]","g");
var modifiedEntry=(entry.replace(pattern, ""));
document.form1.textEntryModified.value=modifiedEntry;
}
</script>
</head>
<body>
<form name=form1>
<textarea name=textEntry rows=15 cols=15 onBlur="change();"></textarea>
<textarea name=textEntryModified readOnly rows=15 cols=15></textarea>
</form>
</body>
</html>
I have a php classifieds script where the user can place ads, however, it doesn't strip any HTML, so fonts can be changed, pictures added, etc...
How do I change this to strip any HTML from the user's input, or at the very least not allow it to process?
Thanks,
- Carolein your script you should be able to deny certin calls/syntaxing for files. depending on what your script is for, most have options for limits.
open for suggestions
chris<pixelmonkey>:monkey:what server side scripting are you using? What we do is we parse the textarea before we save it. We do an extended search and replace. I look for a number of general HTML tags, and replace them with "" (nothing). I have used Javascript to do this client side BEFORE the form even gets to server side.
In any event, its not too hard to do it. An easier way would be to look for just < and > and replace them with "". Or you could send up JS alerts to tell the user that HTML is not allowed, and also clear out the textarea.
If I have some time this evening, I'll see what client side I can do.Hi Doc...
they are using PHP.
In PERL the standard pattern to remove HTML code (and only HTML code) is to pattern match and substitute as follows:
$value =~ s/<([^>]|\n)*>//g;
can be used as a global substitution or can be used on any input field to allow HTML in some but not in other.
"=~" binds the pattern match returns true
"s" tells PERL to substitute what is between the slahes /subthis/withthis/
"g" tells perl to replace all instances of the match found in the string
Regards,
KevinDR. WEb, missing the obvious!
Anyway, here is the client side version. All it does is allow you to paste in some HTML in the left textarea. Then press "tab" or click somewhere. In the right side, the text is parsed, and all "<" and ">" 's are removed... nulling the HTML.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Untitled</title>
<script language=javascript>
function change(){
var entry=document.form1.textEntry.value;
//the regExpObj is the actual pattern for matching//
var pattern=new RegExp("[<->]","g");
var modifiedEntry=(entry.replace(pattern, ""));
document.form1.textEntryModified.value=modifiedEntry;
}
</script>
</head>
<body>
<form name=form1>
<textarea name=textEntry rows=15 cols=15 onBlur="change();"></textarea>
<textarea name=textEntryModified readOnly rows=15 cols=15></textarea>
</form>
</body>
</html>