Actually i have developed one website, that given QA for testing. QA entered javascript alert('hi') instead of text in textbox. showing alert in home page when page is refreshed.
reaised ticket for this. i want resolve this issue. If knows pls help me.
Ok, so you have a form on your public facing website, which picks up data and creates a node in the umbraco backoffice based on the form entry?
Or have QA entered the javascript directly on the node in the backoffice? If so...is it then for the purpose of displaying a code example on the public facing website?
Please provide as much information as possible since it's essential that I understand the issue before proposing a solution.
There is no purpose for giving javascript alert on the node in the backoffice, it is just QA testing purpose given. But script allowing to execute textbox.
i dont know whether it is issue or not, if there any solution for this we can restrict to execute script in textbox.
You have a couple of options for dealing with this, and the simplest is just to remove the disable-output-escaping attribute (or set it to "no", which is the default):
<xsl:value-of select="teaserDesc" />
This way, it's impossible to render actual HTML markup from the teaserDesc field. You will instead get any HTML entered, displayed as code, and it won't "execute" - which also means that any JavaScript entered in that field won't run in the page.
If you need to fully remove the tags you could try using the StripHtml() extension, like this:
How to restrict javascript alert in umbraco home page
Hi,
I have an issue like
I have created one document type with property name news and type is textbox multiple.
In content page textbox i have entered <script>alert('hi')</script>.
Save and Published this.
Script executing in textbox control, alert showing in home page.
i want to restrict javascript in textbox control. Can anyone help me on this please.
in xslt i have given <xsl:value-of select="./teaserDesc" disable-output-escaping="yes"/> but its not restricting alert message.
Hi Satya and welcome to our :)
What is the purpose of your alert? Should it only be used in the Umbraco backoffice? And what exact version of Umbraco are you using?
/Jan
Hi Jan thanks for your reply
i am using Umbraco 7.2.1 version.
Actually i have developed one website, that given QA for testing. QA entered javascript alert('hi') instead of text in textbox. showing alert in home page when page is refreshed.
reaised ticket for this. i want resolve this issue. If knows pls help me.
Hi Satya
Ok, so you have a form on your public facing website, which picks up data and creates a node in the umbraco backoffice based on the form entry?
Or have QA entered the javascript directly on the node in the backoffice? If so...is it then for the purpose of displaying a code example on the public facing website?
Please provide as much information as possible since it's essential that I understand the issue before proposing a solution.
Looking forward to hearing from you.
/Jan
Hi Jan,
There is no purpose for giving javascript alert on the node in the backoffice, it is just QA testing purpose given. But script allowing to execute textbox.
i dont know whether it is issue or not, if there any solution for this we can restrict to execute script in textbox.
Satya.
Hi Satya,
You have a couple of options for dealing with this, and the simplest is just to remove the disable-output-escaping attribute (or set it to "no", which is the default):
This way, it's impossible to render actual HTML markup from the teaserDesc field. You will instead get any HTML entered, displayed as code, and it won't "execute" - which also means that any JavaScript entered in that field won't run in the page.
If you need to fully remove the tags you could try using the StripHtml() extension, like this:
/Chriztian
Hi Jan,
I have given like as you mentiond above, still alert is showing in home page. Please find the below screenshot.
is working on a reply...