I have a situation where users can submit feedback through a textarea on a HTML page or JSP. This works fine and the text ends up in the database.
But, can anyone suggest any safeguards which could prevent somebody trying to submit malicious scripts which could possibly affect the page's behaviour?
I am aware of parsing the text entered and converting any < to '<'; and > to '>'; But is there anything more I could do to validate the entered text?
Thanks
Mr Morgan
Check this out:
Recommended method for escaping HTML in Java
See Apache StringEscapeUtils
escapeJavaScript
and
escapeHtml
Related
Please bare with my ignorance for now as I have just started learning web related programming. So, I have a web project written in MVC that has a login window with Username textbox bound to a property:
#Html.TextBoxFor(model => model.UserName, new {#placeholder = "Username"})
As I understand, Razor automatically html encodes input to help preventing cross-script attacks. However, when I test username with a javascript I get an exception from MVC:
A potentially dangerous Request.Form value was detected from the
client (UserName="...hp?name_1=code
Which makes me think that the input is NOT html encoded. My idea was to resolve this issue with html encoding/decoding but looks like I am not getting this whole idea right. Could someone explain?
NOTE: one of SO's related posts provides an unsecured solution but it is not an option for me to simply allow html.
It is not HTML encoded, that is correct. You will have to do the HTML encoding in the Action that form posts back to.
Also, you will need to add [ValidateInput(false)] attribute just about your action.
I have a file with a textarea (named "Resolution support") in which you can explain how to solve a problem. My problem is that a user would be able to add a picture for a better explaining. If he copy/paste or he has to click and drag or anything i don't care, he HAS TO be able to put a picture into the textarea.
I wondered if another textbox that can do this would exist and what Type does the textbox has to be in PhpMyAdmin.
My textarea :
<textarea name="Escalade" class="longInput" cols="80%" rows="19" wrap="hard">
</textarea>
Without some kind of JavaScript WYSIWYG library this is not possible as vanilla textarea only takes text (clue is in the name).
I assume that you are viewing the submissions in phpMyAdmin which is an interface onto a MySQL database. It is good for developing stuff but not so great as an admin user interface long term. What you are asking about are called transformations.
Here are some tutorials on storing images in a database:
http://www.hockinson.com/programmer-web-designer-denver-co-usa.php?s=47
http://w3schools.invisionzone.com/index.php?showtopic=48068
How to store file name in database, with other info while uploading image to server using PHP?
Here are some lists of WYSIWYG editors:
http://www.sitepoint.com/html5-wysiwyg/
https://github.com/cheeaun/mooeditable/wiki/Javascript-WYSIWYG-editors
Those phpMyAdmin transformations:
http://docs.phpmyadmin.net/en/latest/transformations.html
That is about as much help as can be offered to you without seeing the PHP code behind the form at the very least. Hope this helps.
If someone is looking for an answer, I had asked my profesor and he answered that what I was looking for is a "Rich Text Editor". I'm using ckeditor with the plugin prgfilemanager. It allows me to insert pictures but I cannot copy/paste them which is pretty annoying...
You can try it here http://ckeditor.com/demo I hope it will help you if you have the same problem that I had :)
While it is true that you cannot use a textarea, the answer is very simple. You can use a content editable div, grab the contents as html and write it to a databae using AJAX and PHP.
Just name a div like this:
<div class="my_article" contenteditable></div>
and pass the contents on the click of a button into a JS variable and then pass that into PHP using AJAX.
var content1 = $('.my_article').html();
If anyone needs further help please comment and I'll be happy to obligue.
Is there a way in Rails to escape code inserted in a textarea? If I post rails code at this point, there are some symbols that conflict with html (<< for instance) that don't render. Any thoughts on how to avoid this? In fact in some things I test, I make a post and it doesn't show up at all when I try to render it. I assume this is because of some conflict with the code I am posting.
You can possibly call a javascript function on window.onload/$(document).ready, that will remmove the html specific special character
I have a site where people can submit YouTube videos.
What I need help with (not being very good at HTML programming) is that some use it to post spam or malformed URLS.
What I have is a HTML form with a text box and a button.
So I need it so people can only submit of they have entered a URL to a YouTube page in the form of "http://www.youtube.com/watch?v=" Then their video ID.
Basically I only want them to be able to submit "http://www.youtube.com/watch?v=" with their video ID on the end, EG, http://www.youtube.com/watch?v=_qLTrO60o3E
Hope someone can point me in the right direction!
Thank you.
Jack,
You need to test the URL via a regular expression to check whether it is in a given format. You could implement this on the client side, but as posted in the question comments any input must also be checked on the server. It's easy for a user to disable JavaScript and most Spam bots doesn't even use JavaScript.
For modern browsers, the client-side implementation could be done as easily as using the HTML5 form validation pattern attribute with a regular expression. So yes, this can be done using plain HTML (well, not for IE).
Following examples are regular expressions for JavaScript from the TinyMCE mediahtml5 plugin:
YouTube
/watch\?v=(.+)(.*)/
Vimeo
/vimeo\.com\/(.+)/
Dailymotion
/dailymotion\.com\/video\/([^_]*)/
Variations on my problem have been discussed elsewhere, so I hope I'm not duplicating!
I'm implementing a simple Private Messaging System as part of a web app. I've got an annoying problem though when dynamically inserting text into a textarea box in order to make a reply. Getting the content and displaying it is fine, but I can't work out how to format it correctly.
Obviously, I can't use html tags, but plain text formatting like line breaks and carriage returns seem to be ignored too.
This happens when an existing message is being displayed either as part of a reply or as a thread in a new message.
How do I check what formatting is being saved in my db? Or indeed what formatting is being sent back from my db?!
What about using some for of HTML editor for the replies. Save the html in the database and shown them again in the editro on your web site.
Check this wiki page for a list of possible editors
UPDATE:
Thanks for your replies, but I've worked it out. I was playing around and realised the problem was at the stage of sending the data to the db. I passed the text through the nl2br() function before sending it to the db and this seems(!) to have done the trick!