1

Basically, I need to be able to strip script and html from input fields before processing. I am using JQuery, and was hoping to find that there is a standard way of doing that sort of thing. Any ideas?

Improve this question
5
  • 7
    Don't. You should escape your content on the server. Commented Jun 12, 2011 at 16:36
  • I had thought about that, and it is easy enough to do, but was under the impression that it would be wise to prevent potentially harmful scripts from being submitted. Commented Jun 12, 2011 at 16:39
  • 1
    No, it's wise to ensure the server can handle potentially-malicious scripts instead. And you can't really do a belt-and-braces approach (e.g., doing it on both the client and server), because you end up either trying to detect whether something's encoded properly (vulnerability) or double-encoding it (which is a pain). Commented Jun 12, 2011 at 16:44
  • Thank you SLaks, probably saved me hours here. How do I accept your answer, it is not showing under the Answers heading? Commented Jun 12, 2011 at 16:50
  • I added that as an answer; you can now accept it. You're welcome. Commented Jun 12, 2011 at 18:14

4 Answers 4

Reset to default
3

your html:

<input class="striphtml" name="name" />

your js:

$(document).ready(function() {
  // strip all html when text in input changes
  $(".striphtml").change(function(){
      $(this).val( $(this).text() );
  });
});

Result:

<p>This is a test.</p>

will be replaced with:

&lt;p&gt;This is a test.&lt;/p&gt;

Attention: As SLaks mentioned you MUST validate your INPUTS on server side!!!

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

You have to do it on the server. If you do it on the client, you leave yourself open to people hand-crafting HTTP messages to send to your server, knowing that your server assumes your client code escapes the strings. So, since your server can't assume the content is safe, it has to assume that it isn't safe. (Otherwise you end up double-encoding things, and that becomes a pain.) So it's neither possible, nor appropriate, for your client-side code to do the escaping.

Improve this answer

1 Comment

Fair point, and well put. I had thought that it would be sensible to do both client AND server side, but I see what you are saying.
0

Here is a great tutorial for what you need. As SLaks said, do this server side. Sanitize your input

Tutorial

You could do some regular expression work with specific characters, but that can only help a little bit.

Improve this answer

2 Comments

Thanks Brandon, but I don't use PHP. However, I understand the point and will take SLaks advice.
Sorry, I Just assumed Html, CSS, Jquery, and PHP!
0

You shouldn't be doing this at all.

Instead, you should escape your content on the server.
This way, you can accept malicious input (or < characters) without being harmed by it.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.