Detecting html tags or javascript code in a text field

Hi all,

I'm trying to detect if html tags or javascript code is introduced in my one field (search field) form. How can I do that?

Here's the variable with the string introduced in the field:
var wordsToSearch  = document.getElementById("searchfield").value;

Thanks a lot
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You can use regular-expressions to parse if the text introduced has "<" ">" or "javascript:" inside it... however, if you are afraid of code-hacking you can limit the size of the text introduced in the field and eliminate "/' characters to prevent inserted text from breaking your query statement and start executing malicious code.
Brad HoweDevOps ManagerCommented:

What you are looking for is to HTMLencode your strings. When you HTML encode a string, dangerous characters such as < and > are replaced by HTML entity references such as < and >. So when a user inputs text such as <html><html> or <script></script>, it is converted to <script></script>. The encoded string no longer executes as a JavaScript script when interpreted by a browser.

Take a look here,
This is just an example.

Webinar: Miercom Evaluates Wi-Fi Security

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom how WatchGuard's Wi-Fi security stacks up against the competition in our upcoming webinar!

May I point out that using JavaScript to prevent JavaScript injection is actually wrong.

The form can be generated remotely, bypassing the client-side injection prevention (the JavaScript you are asking for) and sent to the server, to deliver whatever payload they want.

The only reliable solution is to prevent the injection on the server-side.

Bottom-line, without server-side countermeasures, I can bypass your JavaScript in about 3 minutes.

What you need to do is protect your server-side script (the script that handles the form that I am submitting).

If you are using a server-side script to process the form, tell us what language that script is written in (ASP, Perl, PHP etc) and we can point you to some easy ways to protect your database.
Dada44Author Commented:
Thanks very much  to all for answering.

  I've limited the characters one can introduce in the field but I'm going nuts with regular expressions, too much to learn too little time to implement :(

tomaugerdotcom, for  the server side I'm using PHP, what can I do to protect the db from it?

Thanks once again!!
Dada44Author Commented:
In the regex chapter I'm doing:

wordsToSearch = wordsToSearch.replace(/\//g, "");
wordsToSearch = wordsToSearch.replace("\\", "");

In order to replace all / and all \ for nothing. But it's replacing the ones in the begining of the string .. if I add some / or \ in the middle, it won't work, they will show.
Also I'm trying the same with the brackets.

Thanks again
Okay, for the Regex in your JS:

your Regular Expressions appear to be doing what you're asking them to do: find every occurrence of / and \ and replace with nothing (0 width string).

Can you be more specific about what it's doing that you feel it should not be doing?

And for the PHP, I'm assuming you're writing to your database, right, so be sure to use at the very least
whenever you want to use 'myInputField' within an SQL query, or if you're printing/echoing something back to the page.

mysql_real_escape_string() will strip out all 'nasties' that may be harmful to your database, and will convert all dangerous characters (< > / \ etc) into their code equivalents, which are safe.

To take it one step further, in terms of protecting your database, also be sure to use the new method of read/writing to a mysql database, "mysqli". This uses a concept called "prepared statements". Now AFAIK, this will not help so much on the JavaScript side, since your database couldn't care less about JavaScript. So use mysql_real_escape_string() as well. This may sound tedious, but trust me, cleaning up a corrupted database or hacked website is far more tedious. Just ask the guys over at WordPress!!!

Here's the docs on prepared statements. They're very easy to implement:

Example from the docs
$link = mysqli_connect("localhost", "my_user", "my_password", "world");
$stmt = mysqli_prepare($link, "SELECT District FROM City WHERE Name=?"; // the ? is where your variable will go
// now we substitute the variable in place of the "?"
mysqli_stmt_bind_param($stmt, "s", mysql_real_escape_string($city)); // added real_escape_string cause I'm paranoid


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dada44Author Commented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.