katrina_mc
asked on
How to NOT allow users to enter HTML in text box?
I'm creating something similar to MySpace.com, but I don't want users to be able to enter HTML or style sheets in the text input & textarea boxes. On MySpace, you can change the look of your individual profile page by entering HTML & style sheets into the text boxes. I want to PREVENT users from being able to do this on my site.
So, the simple question is, how do you NOT allow users to enter HTML into a text field? Is there an easy way to only allow text?
So, the simple question is, how do you NOT allow users to enter HTML into a text field? Is there an easy way to only allow text?
That is really the best way.
Also you can look into cfqueryparam tag for protection from other items like sql injection and other evils.
Also you can look into cfqueryparam tag for protection from other items like sql injection and other evils.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
There is also a cf custom tag you can include to strip any html
I put it in my application.cfm and it strips any html from url and form variable being passed.
<!---
Template: inputfilter.cfm
Author: Peter Muzila
Source Control: $Header: $
Description:
The cf_inputFilter tag removes characters or tags from all fields coming from the
specified scopes (form,cookie, or url). This tag can be placed in the Application.cfm
file to filter out any input coming thru these scopes to any of the templates belonging
to the application.cfm file.
This tag can be executed only with CF 4.5 or higher
Usage:
<cf_inputFilter
scopes = "[FORM][,COOKIE][,URL]"
chars = "list_of_chars"
tags = "ALL|list_of_tags"
>
Attributes:
scopes (string list, required) - comma-delimited list of input scopes to be filtered
chars (string, optional) - string containing set of characters to be filtered out from the
input scope
tags (string list, optional) - comma-delimited list of tag names to be filtered out from the
input scope
--->
<!--- attributes validation --->
<cfparam name="attributes.scopes">
<cfparam name="attributes.chars" default="">
<cfparam name="attributes.tags" default="">
<cfscript>
// prepare reg expression for the tag search
reTags = "" ;
if ( attributes.tags eq "ALL" )
// re for any tag - "<*>"
reTags = "<[^>]*>" ;
else if ( attributes.tags neq "" )
// re for any of the listed tags - "<tag1|tag2|...|tagN>"
reTags = "</?(#ListChangeDelims(att
// get comma-delimited list of chars from char set
charList = '' ;
if ( attributes.chars neq "" ) {
charList = attributes.chars ;
for ( i=Len(attributes.chars)-1;
charList = Insert( ",", charList, i ) ;
}
</cfscript>
<cfloop list="#attributes.scopes#"
<cfif not findnocase("multipart/form
<cfscript>
// get the handle for the scope (form, cookie, url)
s = Evaluate( scopeName ) ;
// scroll thru fields in the scope and handle only simple values
for ( field in s )
if ( IsSimpleValue( s[field] ) ) {
// replace tags
if ( reTags neq '' )
s[field] = REReplace( s[field], reTags, "", "ALL" ) ;
// replace chars
if ( charList neq '' )
s[field] = ReplaceList( s[field], charList, "" ) ;
}
</cfscript>
</cfif>
</cfloop>
Regards
Gary
I put it in my application.cfm and it strips any html from url and form variable being passed.
<!---
Template: inputfilter.cfm
Author: Peter Muzila
Source Control: $Header: $
Description:
The cf_inputFilter tag removes characters or tags from all fields coming from the
specified scopes (form,cookie, or url). This tag can be placed in the Application.cfm
file to filter out any input coming thru these scopes to any of the templates belonging
to the application.cfm file.
This tag can be executed only with CF 4.5 or higher
Usage:
<cf_inputFilter
scopes = "[FORM][,COOKIE][,URL]"
chars = "list_of_chars"
tags = "ALL|list_of_tags"
>
Attributes:
scopes (string list, required) - comma-delimited list of input scopes to be filtered
chars (string, optional) - string containing set of characters to be filtered out from the
input scope
tags (string list, optional) - comma-delimited list of tag names to be filtered out from the
input scope
--->
<!--- attributes validation --->
<cfparam name="attributes.scopes">
<cfparam name="attributes.chars" default="">
<cfparam name="attributes.tags" default="">
<cfscript>
// prepare reg expression for the tag search
reTags = "" ;
if ( attributes.tags eq "ALL" )
// re for any tag - "<*>"
reTags = "<[^>]*>" ;
else if ( attributes.tags neq "" )
// re for any of the listed tags - "<tag1|tag2|...|tagN>"
reTags = "</?(#ListChangeDelims(att
// get comma-delimited list of chars from char set
charList = '' ;
if ( attributes.chars neq "" ) {
charList = attributes.chars ;
for ( i=Len(attributes.chars)-1;
charList = Insert( ",", charList, i ) ;
}
</cfscript>
<cfloop list="#attributes.scopes#"
<cfif not findnocase("multipart/form
<cfscript>
// get the handle for the scope (form, cookie, url)
s = Evaluate( scopeName ) ;
// scroll thru fields in the scope and handle only simple values
for ( field in s )
if ( IsSimpleValue( s[field] ) ) {
// replace tags
if ( reTags neq '' )
s[field] = REReplace( s[field], reTags, "", "ALL" ) ;
// replace chars
if ( charList neq '' )
s[field] = ReplaceList( s[field], charList, "" ) ;
}
</cfscript>
</cfif>
</cfloop>
Regards
Gary
ASKER
I decided against the HTMLCODEFORMAT() tag because it inserts <pre></pre> into the text field after it is submitted to the database. It also changes the way the text looks when displayed.
I tried using the custom tag (above) but it was not working. I put this in the application file: <cf_inputFilter
scopes = "FORM,COOKIE,URL"
tags = "ALL">. Did I do something wrong?
The only way I got it to work was a combination of using the custom tag & this:
<cfscript>
attributes.fieldname = REReplace(attributes.field
</cfscript>
When used separately (without both), the HTML tags were not deleted. But when used together, everything within <> is removed. Why did I have to use both the script & the custom tag to do this?
I tried using the custom tag (above) but it was not working. I put this in the application file: <cf_inputFilter
scopes = "FORM,COOKIE,URL"
tags = "ALL">. Did I do something wrong?
The only way I got it to work was a combination of using the custom tag & this:
<cfscript>
attributes.fieldname = REReplace(attributes.field
</cfscript>
When used separately (without both), the HTML tags were not deleted. But when used together, everything within <> is removed. Why did I have to use both the script & the custom tag to do this?
I am not sure why you had to use both. The script should have worked fine.
ASKER
Actually, I just deleted the cf tag from the application file & just using the script, which is removing anything between HTML tags, which is what I want. So what do I gain by using the custom tag?
For your need, you do not gain anything. It was just an alternate solution.
I am glad that the script I posted is working for you.
I am glad that the script I posted is working for you.
ASKER