Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How do I detect whether a user has input script into a text box?

Status
Not open for further replies.
andyhaywood

andyhaywood

Programmer
Jan 12, 2004
4
GB
Hi,

Does anyone know whether it's possible to detect whether a user has put some form of script in a text input? Basically we need to stop people inputting something like "<script>alert(document.cookie)</script>" into an input as when this is returned from the server in xml form it is causing errors.

Thanks.
 
Sort by date Sort by votes
this is something i suggest doing server-side.

however, if you want to perform an initial check client-side, a regular expression should get you what you need. is it only <script> tags you're trying to exclude?



*cLFlaVA
----------------------------
[tt]mr. pibb + red vines = crazy delicious![/tt]

[URL unfurl="true"]http://www.coryarthus.com/[/url]
 
Upvote 0 Downvote
Whatever is input is sent to the server and returned later as xml which is translated with xsl like this:

<input type="text" ...>
<xsl:value-of select="..."/>
</input>

So anything in that user value is put in here which I'm guessing means we need to test for more than just <script> tags?
 
Upvote 0 Downvote
What if you call escape or encode (I've forgotten the exact function name, sorry), to change your string into something XML legal?

"<script>alert(document.cookie)</script>" would become
"&gt.script&lt.alert(document.cookie)&gt./script&lt."

 
Upvote 0 Downvote
hi andy,

sorry for the delay. i've put together a sample of something that may work for you. let me know what you think:

Code: 
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
	"[URL unfurl="true"]http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">[/URL]

<html>
<head>
<title>Untitled</title>
<script type="text/javascript"><!--

function removeStuff(t) {
    var re = /\<.+?\>/g;
    t.value = t.value.replace( re, "" );
}

//--></script>
</head>

<body>

<form name="f">
<input type="text" onchange="removeStuff(this);" name="t" />
</form>

</body>
</html>



*cLFlaVA
----------------------------
[tt]mr. pibb + red vines = crazy delicious![/tt]

[URL unfurl="true"]http://www.coryarthus.com/[/url]
 
Upvote 0 Downvote
What if you call escape or encode (I've forgotten the exact function name, sorry), to change your string into something XML legal?
Click to expand...

it's escape() & unescape()

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you.
 
Upvote 0 Downvote
I think an easy way to do it just test the <script> tag, if you just want the user to change it

if (value.match(/^.*\<script\>.*$/)) return false;
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Mike Lewis
  • Locked
  • Question
Anyone here got any experience of Grid.JS (a sortable Javascript grid) 1
Replies
5
Views
1K
Mike Lewis
Mike Lewis
penguinspeaks
  • Locked
  • Question
How do I pass a classic asp variable to JS
Replies
1
Views
900
xwb
xwb
chikwendu
  • Locked
  • Question
How do I display an extra input box for editing an existing data?
Replies
1
Views
168
chikwendu
chikwendu
TheLazyPig
  • Question
Buttons not aligned after another button is clicked
Replies
2
Views
204
gmmastros
gmmastros
malpa
  • Locked
  • Question
Graph the selection of a html table row
Replies
0
Views
663
malpa
malpa

Part and Inventory Search

Sponsor

Back
Top