0

I have a form and as of right now, you can type any javascript, etc. you want. Any XSS, etc.

How do I go about creating a whitelist so you can only post characters.

At some point I would like anything that starts with http:// to be converted to

<a href="http://..."></a>

Thanks

Is this efficient? http://htmlpurifier.org/

Improve this question
3
  • 4
    you know you can't use client side code for data validation - your users can just turn off JS. So unless you are running server-side javascript, you are going to have to check server-side in another language for the presence of script tags/bad characters... Commented Nov 17, 2010 at 8:17
  • Thanks, I realize that now. Can you recommend any prebuilt solutions? Commented Nov 17, 2010 at 8:33
  • what is the server side script you are using? is it php, .net. perl, ... Commented Nov 17, 2010 at 8:36

2 Answers 2

Reset to default
7

jQuery or Javascript is preferred

Well, no, you can't do that, you see? Because even if you 'sanitize' your data using javascript, noone's stopping anyone from

  • turning off javascript
  • using a browser's developer console to mess with the data
  • doing the POST directly, without a browser

In other words, you have to perform the validation/sanitization on the server side. Javascript validation is there to enhance the experience of your users (by providing instant feedback on invalid input, for example).

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I get it. So do what do you recommend using then? Thanks
??? @Switz, shylent did recomend something: (...) you have to perform the validation/sanitization on the server side.
1

But still, in many high-load applications developers use partially client-side verifications (but all inputs have to be prepared for writing to db).

As you will be using PHP, i suggest you to parse your $_POST values with htmlspecialchars(), mysql_real_escape_string() and so on.

You will have to use regular expression to convert anything that starts with "http://" to links (well, you can also use explode('.', $_POST['yourInput']) which can be easier for you).

Improve this answer

1 Comment

Very useful thank you :) To update your post: mysql_real_escape_string is deprecated in PHP 5.5.0, and it was removed in PHP 7.0.0. Source: php.net/manual/en/function.mysql-real-escape-string.php

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.