Solved

How to NOT allow users to enter HTML in text box?

Posted on 2006-06-09
8
420 Views
Last Modified: 2013-12-24
I'm creating something similar to MySpace.com, but I don't want users to be able to enter HTML or style sheets in the text input & textarea boxes.  On MySpace, you can change the look of your individual profile page by entering HTML & style sheets into the text boxes.  I want to PREVENT users from being able to do this on my site.

So, the simple question is, how do you NOT allow users to enter HTML into a text field?  Is there an easy way to only allow text?
0
Comment
Question by:katrina_mc
  • 4
  • 3
8 Comments
 

Author Comment

by:katrina_mc
ID: 16870875
I just found the HTMLCODEFORMAT() function, which seems to do the trick upon inserting into the database.  But, if there is a better way than this, please let me know.  I want to make sure that people will not be able to change the look of the page in any way.
0
 
LVL 9

Expert Comment

by:73Spyder
ID: 16870989
That is really the best way.

Also you can look into cfqueryparam tag  for protection from other items like sql injection and other evils.

0
 
LVL 9

Accepted Solution

by:
73Spyder earned 500 total points
ID: 16871023
Or you could use this script

<cfscript>
function StripHTML(str) {
return REReplaceNoCase(str,"<[^>]*>","","ALL");            
}
</cfscript>

<cfset form.textarea= StripHTML(form.textarea)>

0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 1

Expert Comment

by:garymorin
ID: 16871611
There is also a cf custom tag you can include to strip any html

I put it in my application.cfm and it strips any html from url and form variable being passed.

<!---
      
      Template:                        inputfilter.cfm
      Author:                        Peter Muzila
      
      Source Control:            $Header: $
      
      Description:
      
            The cf_inputFilter tag removes characters or tags from all fields coming from the
            specified scopes (form,cookie, or url). This tag can be placed in the Application.cfm
            file to filter out any input coming thru these scopes to any of the templates belonging
            to the application.cfm file.
            
            This tag can be executed only with CF 4.5 or higher
      
      Usage:
      
            <cf_inputFilter
                  scopes = "[FORM][,COOKIE][,URL]"
                  chars = "list_of_chars"
                  tags = "ALL|list_of_tags"
            >

      Attributes:

            scopes (string list, required) - comma-delimited list of input scopes to be filtered
            chars (string, optional) - string containing set of characters to be filtered out from the
                  input scope
            tags (string list, optional) - comma-delimited list of tag names to be filtered out from the
                  input scope
                  
            
--->

<!--- attributes validation --->
<cfparam name="attributes.scopes">
<cfparam name="attributes.chars" default="">
<cfparam name="attributes.tags" default="">


<cfscript>

      // prepare reg expression for the tag search
      reTags = "" ;
      if ( attributes.tags eq "ALL" )
            // re for any tag - "<*>"
            reTags = "<[^>]*>" ;
      else if ( attributes.tags neq "" )
            // re for any of the listed tags - "<tag1|tag2|...|tagN>"
            reTags = "</?(#ListChangeDelims(attributes.tags,  '|', ',' )#)[^>]*>" ;
            
      // get comma-delimited list of chars from char set
      charList = '' ;
      if ( attributes.chars neq "" ) {
            charList = attributes.chars ;
      
            for ( i=Len(attributes.chars)-1; i gte 1; i=i-1 )
                  charList = Insert( ",", charList, i ) ;
      }

</cfscript>


<cfloop list="#attributes.scopes#" index="scopeName">
      <cfif not findnocase("multipart/form-data",cgi.CONTENT_TYPE)>
            <cfscript>
      
                  // get the handle for the scope (form, cookie, url)
                  s = Evaluate( scopeName ) ;
      
                  // scroll thru fields in the scope and handle only simple values
                  for ( field in s )
                        if ( IsSimpleValue( s[field] ) ) {
                              
                              // replace tags
                              if ( reTags neq '' )                        
                                    s[field] = REReplace( s[field], reTags, "", "ALL" ) ;
                        
                              // replace chars
                              if ( charList neq '' )                                                      
                                    s[field] = ReplaceList( s[field], charList, "" ) ;
      
                        }
      
            </cfscript>
      </cfif>

</cfloop>


Regards

Gary
0
 

Author Comment

by:katrina_mc
ID: 16895535
I decided against the HTMLCODEFORMAT() tag because it inserts <pre></pre> into the text field after it is submitted to the database.  It also changes the way the text looks when displayed.

I tried using the custom tag (above) but it was not working.  I put this in the application file:   <cf_inputFilter
scopes = "FORM,COOKIE,URL"
tags = "ALL">.  Did I do something wrong?

The only way I got it to work was a combination of using the custom tag & this:
<cfscript>
attributes.fieldname = REReplace(attributes.fieldname , "<[^>]*>","","ALL");
</cfscript>

When used separately (without both), the HTML tags were not deleted.  But when used together, everything within <> is removed.  Why did I have to use both the script & the custom tag to do this?
0
 
LVL 9

Expert Comment

by:73Spyder
ID: 16895926
I am not sure why you had to use both.  The script should have worked fine.
0
 

Author Comment

by:katrina_mc
ID: 16896206
Actually, I just deleted the cf tag from the application file & just using the script, which is removing anything between HTML tags, which is what I want.  So what do I gain by using the custom tag?
0
 
LVL 9

Expert Comment

by:73Spyder
ID: 16896216
For your need, you do not gain anything.  It was just an alternate solution.

I am glad that the script I posted is working for you.

0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
retrieving files from old server once DNS has changed 10 72
.htacess file 301 redirects that are strange 4 55
Question to locate the problem 18 108
Systems talking to each other 5 130
This is a guide to setting up a new WHM/cPanel Server to be used for web hosting accounts. It is intended for web hosting company administrators and dedicated server owners. For under $99 per month (considering normal rate of Big Data Cetnters like …
Article by: kevp75
Hey folks, 'bout time for me to come around with a little tip. Thanks to IIS 7.5 Extensions and Microsoft (well... really Windows 8, and IIS 8 I guess...), we can now prime our Application Pools, when IIS starts. Now, though it would be nice t…
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question