Sign in Register
Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Josh Reid 182 posts 258 karma points
    Jun 04, 2012 @ 23:46
    Josh Reid
    0

    HTML in textarea = A potentially dangerous Request.Form value YSOD

    Hi Team
    Umb 4.7.2 + Contour 1.1.12

    Wondering if there is a cure to this? Need to ensure cleanup of any html, or at least no YSOD!

    Hopefully there is a simple config setting or something?

    Thanks
    Josh

    Copy Link
  • Josh Reid 182 posts 258 karma points
    Jun 05, 2012 @ 11:33
    Josh Reid
    0

    Can't seem to edit the post with no replies and hindsight says maybe a little clarification is called for:

    I need to ensure cleanup of any html (quotes, etc) or possibly process it (accepting any html/special characters/quotes, etc) from the textarea field, so we can avoid the nasty YSOD!

    The textarea needs to be secure, but not fail on html inclusion - it may be necessary to strip any html prior to posting?

    Any thoughts appreciated, cheers!

    Copy Link
  • Josh Reid 182 posts 258 karma points
    Jun 20, 2012 @ 02:57
    Josh Reid
    0

    So in this case I have ended up simply relying on javascript - using jquery...

    noHtml($("textarea"));
    // no HTML binding
    function noHtml(el) {
        if(el.length) {
            el.bind("keyup blur", function(){
                var cleanText=stripHtml($(this).val());
                if($(this).val()!=cleanText) {
                    $(this).val(cleanText);
                    shakeIt($(this));
                }
            });
        }
    }
    // strip any HTML
    function stripHtml(html){
       var tmp = document.createElement("div");
       tmp.innerHTML = html;
       return tmp.textContent||tmp.innerText;
    }
    // user feedback
    function shakeIt($el) {
        if($el.length) {
            $el.animate({opacity:.2},100, function(){
                $(this).animate({opacity:1},200);
            });
        }
    }

    May not be the perfect solution but easy and effective at least... modify any to suit your needs- ie: i didn't want actually shaking in this instance.

    Hope it can be of use to someone else.

    Cheers
    Josh

    Copy Link

  • This forum is in read-only mode while we transition to the new forum.

    You can continue this topic on the new forum by tapping the "Continue discussion" link below.

Please Sign in or register to post replies