strip jscript from user input

[george]

hello,

which is the best way to strip jscript/vbscript from user input? Is
there any module I could reuse?

thanks in advance
george


P.S. the solution must allow users to enter html code.

 

[Evertjan.]

george wrote on 17 dec 2007 in comp.lang.javascript:

which is the best way to strip jscript/vbscript from user input? Is
there any module I could reuse?

P.S. the solution must allow users to enter html code.

There is no "best way" in programming.
It depends on your prefeences.

Why would you strip script from an input?
Just make sure that it is never used in a html page.

Well, if you insist, use:

t = t.replace(/</g,'&lt;')

This is not stripping, but it won't be executed.

Why shouldn't you strip input values of script?

Because:

Someone's signature could be <script> ?

someone could input:

"if 7<a and href>7 then response.write c\"

You want to strip that?

 

[george]

george wrote on 17 dec 2007 in comp.lang.javascript:


There is no "best way" in programming.
It depends on your prefeences.

Why would you strip script from an input?
Just make sure that it is never used in a html page.

Well, if you insist, use:

t = t.replace(/</g,'&lt;')

This is not stripping, but it won't be executed.

Why shouldn't you strip input values of script?

Because:

Someone's signature could be <script> ?

someone could input:

"if 7<a and href>7 then response.write c\"

You want to strip that?

thanks for your reply

I just want the user to be able to post whatever he/she wants except
javascript/vbscript.
the replace solution " t.replace(/</g,'&lt;') " is not ideal, I don't
want code in the page.
this thing would be a personalization feature.

george

 

[Evertjan.]

george wrote on 17 dec 2007 in comp.lang.javascript:

[Please do not quote signatures on usnet. Removed]

thanks for your reply

I just want the user to be able to post whatever he/she wants except
javascript/vbscript.
the replace solution " t.replace(/</g,'&lt;') " is not ideal, I don't
want code in the page.
this thing would be a personalization feature.

So if they include C++, Pascal or Java code, it is OK?

Some Javascript is also C++, some is not.

Or do you simply want to prevent clientside browser execution?

And plain old Basic source?

No I do not think your quest will have success.

 

[Doug Gunnoe]

thanks for your reply

I just want the user to be able to post whatever he/she wants except
javascript/vbscript.
the replace solution " t.replace(/</g,'&lt;') " is not ideal, I don't
want code in the page.
this thing would be a personalization feature.

george- Hide quoted text -

- Show quoted text -

Could you instead just allow only certain html tags? Otherwise, I
think it is going to be difficult to filter out any type of scripting.

If you check for say, "<script>" javascript could still be put in
elements and triggered by events, like <input type="button"
onclick="function getCHA(){alert('do bad stuff here')} getCHA()"
value="click me" />

If you allow PHP and the page is PHP, then they could pretty much do
all kind of stuff.

 

[george]

george said the following on 12/17/2007 12:37 PM:




Whatever you do, you are going to have to duplicate it on the server
anyway. What is to stop the user from disabling script, or, bypassing
your validation?

--
Randy
Chance Favors The Prepared Mind
comp.lang.javascript FAQ -http://jibbering.com/faq/index.html
Javascript Best Practices -http://www.JavascriptToolbox.com/bestpractices/

thanks guys for your replies

I know it's not the easiest thing to do properly.
What we need is to allow html/flash stuff but not scripts that browser
could execute.

regards,
george