@ScoobyDooobyD00authorMar 26.2008 — #I've seen on sites where if I enter <script type="text/javascript"></script> it comes out on the page as < type="text/javascript"></>
@ScoobyDooobyD00authorMar 26.2008 — #I'm sorry I wasn't even paying attention to what I wrote.
For instance if I put a textbox on my site for users to enter html to there profile it wouldn't allow certian tags.
Like: The user goes to their control panel and they enter some html into the textbox [code=html] <body bgimg="http://someimageurl.com"> <iframe width="*" height="*" src="http://someurl.com"></iframe> </body> [/code]
I don't want users to use frame, iframes, javascript, flash, php ect
So I want the javascript to search what the user entered (above) and take out specific words so when it is sent it to the database it looks like this [code=html] <body bgimg="http://someimageurl.com"> < width="*" height="*" src="http://someurl.com"></> </body> [/code]
@KorMar 26.2008 — # Again I'm sorry I didn't explain myself more.[/QUOTE] Nor you did more this time ? I don't want users to use frame, iframes, javascript, flash, php ect [/QUOTE] I guess you wanted to say that [B][I]you[/I][/B] don't want to use frame, iframes, javascript, flash, php etc. in your page... So I want the javascript to search what the user [I]entered[/I] (above) and take out specific words [..] [/QUOTE] entered? [I]Where[/I] entered? In a textarea? Or? [I]Where[/I] the user should enter? And [I]what[/I]?
Still very confusing for me... I would like you to explain more about what your project is, what do you want to do and why.
@SyCoMar 26.2008 — #If you don't use server side scripting (like PHP), circumventing your validation is as easy as turning off javascript in the users browser. Then I can post all the script/PHP tags I like and pwn your server ?
In php it's you can do this
[code=php] <? $_POST['inputed_value']=" remove these tags <iframe></iframe><? ?> <?php <script> </script> they should be gone<br><br>"; echo $_POST['inputed_value'];
//create an array of banned words $banned_words=array('<iframe>','</iframe>','<?php','<?','?>','<script>','</script>');
//loop throught he array and replace th banned word with '' (nothing) foreach($banned_words as $v){ $_POST['inputed_value']=str_replace($v,'',$_POST['inputed_value']); }
It's a good idea to understand what and why you're doing stuff, so please read up. Like I say if you'd used jS you'd have been wide open. I could have entered a simple drop table statement guessed your table names and wiped out your data.
And go easy on them Scooby-Snacks, they mess you up. ?
Edit: actually I wouldn't have bneeded to guess the table names, I coul just read them with PHP too. Allowing users to input scripts of any kind (html included) is a potential hole so consider how you do this. Similar methods to BBcode is the usual way to allow users to template.
@KorMar 26.2008 — #My first thought was the good one. A server-side validator, as I said. I was not sure of the server-side language accepted, but if php, yes, [B]SyCo[/B]'s code looks ok to me ?