Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Josh Reid 182 posts 258 karma points
    Jun 04, 2012 @ 23:46
    Josh Reid
    0

    HTML in textarea = A potentially dangerous Request.Form value YSOD

    Hi Team
    Umb 4.7.2 + Contour 1.1.12

    Wondering if there is a cure to this? Need to ensure cleanup of any html, or at least no YSOD!

    Hopefully there is a simple config setting or something?

    Thanks
    Josh

  • Josh Reid 182 posts 258 karma points
    Jun 05, 2012 @ 11:33
    Josh Reid
    0

    Can't seem to edit the post with no replies and hindsight says maybe a little clarification is called for:

    I need to ensure cleanup of any html (quotes, etc) or possibly process it (accepting any html/special characters/quotes, etc) from the textarea field, so we can avoid the nasty YSOD!

    The textarea needs to be secure, but not fail on html inclusion - it may be necessary to strip any html prior to posting?

    Any thoughts appreciated, cheers!

  • Josh Reid 182 posts 258 karma points
    Jun 20, 2012 @ 02:57
    Josh Reid
    0

    So in this case I have ended up simply relying on javascript - using jquery...

    noHtml($("textarea"));
    // no HTML binding
    function noHtml(el) {
        if(el.length) {
            el.bind("keyup blur", function(){
                var cleanText=stripHtml($(this).val());
                if($(this).val()!=cleanText) {
                    $(this).val(cleanText);
                    shakeIt($(this));
                }
            });
        }
    }
    // strip any HTML
    function stripHtml(html){
       var tmp = document.createElement("div");
       tmp.innerHTML = html;
       return tmp.textContent||tmp.innerText;
    }
    // user feedback
    function shakeIt($el) {
        if($el.length) {
            $el.animate({opacity:.2},100, function(){
                $(this).animate({opacity:1},200);
            });
        }
    }

    May not be the perfect solution but easy and effective at least... modify any to suit your needs- ie: i didn't want actually shaking in this instance.

    Hope it can be of use to someone else.

    Cheers
    Josh

Please Sign in or register to post replies

Write your reply to:

Draft