Solved

Submit javascript code snippet via web form field

Posted on 2011-02-25
7
386 Views
Last Modified: 2012-05-11
Having built a small CMS system, I am adding a form that will let users submit their own HTML code snippets which they can then add to their web page content via the CMS. This all works fine apart from one problem, when the code snippet to be submitted includes code for a form with javascript validation, the original form doesn't submit.

I need to know if there is a way have the code entered into the form field 'shielded' so that it doesn't affect the form that is being used to submit that code.

Hoping that someone can help.

Thank you.
0
Comment
Question by:BigFriendlyGiant
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 70

Expert Comment

by:Jason C. Levine
ID: 34985718
Hi BigFriendlyGiant,

What kind of escaping are you doing with the form field?

0
 
LVL 34

Expert Comment

by:Slick812
ID: 34987704
greetings BigFriendlyGiant, , ,  I have had problems similar to what you describe is happening in your javascript "validation" and other functions that are "added later" to the existing javascript variables and functions entries already on a page. Many times common functions and variables will try and use the same names that are already in use. I would guess that the added javascript validation function uses the same function name that you use, so "the original form doesn't submit" because there may now be two functions with that name. What I do now, is to add 2 or 3 numbers to the end all of my javascript function names that have common names , like this -

function validate(id) {

}

change to - -

function validate42(id) {


}

you should check on your variable and function names and rename all of the ones that have commonly used names like ID, validate, checkForm, name, user, and many others.
0
 
LVL 110

Expert Comment

by:Ray Paseur
ID: 34992368
As a general rule, anything that a client puts into the textarea should come through into the action script, where you would escape it with mysql_real_escape_string() and store it in your data base, unmodified in any way.  When you get ready to echo this to the browser, you would use htmlentities() to reduce the risk of injected code.

If you want to show us the code that is causing you trouble we may be able to offer more specific guidance.
0
Don't Cry: How Liquid Web is Ensuring Security

WannaCry is just the start. Read how Liquid Web is protecting itself and its customers against new threats.

 

Author Comment

by:BigFriendlyGiant
ID: 34992622
Hi,

jason1178, I use mysql_real_escape_string. but I do not believe the problem lies in the validation or what happens server side when the form is submitted. I think that the problem happens client side and that the form used to submit the code snippets tries to use the javascript validation submitted in the code snippet itself.

Slick812, that is almost correct, apart that the fields names in the form submitted in the code snippet do not correspond to the field names in the form used to submit the code snippet. My guess is that as the code snippet is in itself a form with javascript validation, it will not submit as the fields in the code snippets are empty, i.e. not valid as per the validation in the code snippet if that makes sense. The problem is that the code snippet being submitted is a subscription HTML form that my clients are likely to try to use on their sites often and add themselves via the form to submit code snippets.

Ray_Paseur, as per my response to jason1178, I believe the problem lies before the form data reaches the code to escape the data or to validate it.

A copy of the code being submitted via the form as code snippet is attached.

Thanks.
<!--
Do not modify the NAME value of any of the INPUT fields
the FORM action, or any of the hidden fields (eg. input type=hidden).
These are all required for this form to function correctly.
-->
<form method="post" action="abcxyz" id="frmSS5" onsubmit="return CheckForm5(this);">
	<table border="0">
		<tr>
	<td><span class="required">*</span>&nbsp;
Your Email Address:</td>
	<td><input type="text" name="email" value="" /></td>
</tr><tr>
	<td><span class="required">*</span>&nbsp;
Preferred Format:</td>
	<td><select name="format"><option value="h">HTML</option><option value="t">Text</option></select></td>
</tr>
	</table>
</form>

<script type="text/javascript">
// <![CDATA[

			function CheckMultiple5(frm, name) {
				for (var i=0; i < frm.length; i++)
				{
					fldObj = frm.elements[i];
					fldId = fldObj.id;
					if (fldId) {
						var fieldnamecheck=fldObj.id.indexOf(name);
						if (fieldnamecheck != -1) {
							if (fldObj.checked) {
								return true;
							}
						}
					}
				}
				return false;
			}
		function CheckForm5(f) {
			var email_re = /[a-z0-9!#$%&'*+\/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+\/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?/i;
			if (!email_re.test(f.email.value)) {
				alert("Please enter your email address.");
				f.email.focus();
				return false;
			}
		
						if (f.format.selectedIndex == -1) {
							alert("Please choose a format to receive your email campaigns in");
							f.format.focus();
							return false;
						}
					
				return true;
			}
		
// ]]>
</script>

Open in new window

0
 

Accepted Solution

by:
BigFriendlyGiant earned 0 total points
ID: 34992640
I have resolved the problem by making it possible for my clients to upload the code as the content of a file which is then read via a PHP script which takes that content and writes it to the database. A roundabout way to do it but it works for now.
0
 
LVL 34

Expert Comment

by:Slick812
ID: 34992706
It is so difficult to try and "guess" what your problem may or may not be, especially with "User Submitted" html and javascript to be added to a page. I am glad that you have got something to work, by using a file to store content, and reading it to fix whatever conflict that occurred before, , , file writes and reads are rapid and if you can delete the file after reading, this will probally be a solution. However, if you need anymore help, I would say you will need to show us the user submitted code that did not work.
0
 

Author Closing Comment

by:BigFriendlyGiant
ID: 35067688
No other solution given perhaps due to me finding it difficult to explain clearly what the problem was.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
Find out what you should include to make the best professional email signature for your organization.
In this tutorial viewers will learn how to style a corner ribbon overlay for an image using CSS Create a new class by typing ".Ribbon":  Define the class' "display:" as "inline-block": Define its "position:" as "relative": Define its "overflow:" as …
The viewer will receive an overview of the basics of CSS showing inline styles. In the head tags set up your style tags: (CODE) Reference the nav tag and set your properties.: (CODE) Set the reference for the UL element and styles for it to ensu…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question