HTML <title> tag in a form textarea

[aliashippysmom]

Hi! Has anyone ever seen this?
Data is entered to the database using an HTML form. There's a textarea in the form. One user has entered comments which are bracketed with "<" and ">". In one textarea they literally typed:
<title is not correct ....

This is stored o.k. in the database.

When a different template is then executed to display all the database records (using ColdFusion and cfoutput), IE just stops after seeing the <title and no further info is output.

Displays properly in Firefox. I think IE thinks this is a new document or something. When I change the text to <titles
it's o.k. and displays properly.

I hope my explanation of the problem makes sense.

I've never seen this before. Has anyone else?
Thanks!!

 

[feherke]

Hi

Do not care what Explorer is thinking. Just do that correctly. Display < as &lt; in your HTML document.

In PHP you would use [tt]htmlspecialchars()[/tt] to do the conversion. Search the ColdFusion manual for something similar.

Feherke.

http://rootshell.be/~feherke/

 

[Foamcow]

When getting user input that will later be displayed in HTML you should always parse that input to remove/convert any HTML tags into non-html.

Likewise you should be escaping quotes and other special characters too.

<honk>*:O)</honk>

Tyres: Mine's a pint of the black stuff.
Mike: You can't drink a pint of Bovril.