• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Devaka Cooray
  • Liutauras Vilda
  • Jeanne Boyarsky
  • Bear Bibeault
Sheriffs:
  • Paul Clapham
  • Knute Snortum
  • Rob Spoor
Saloon Keepers:
  • Tim Moores
  • Ron McLeod
  • Piet Souris
  • Stephan van Hulst
  • Carey Brown
Bartenders:
  • Tim Holloway
  • Frits Walraven
  • Ganesh Patekar

Disabling javascript in input data.

 
Ranch Hand
Posts: 117
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi All,
I have a textarea. If a javascript code is written in it and saved, I want to render that as a text and not as a javascript code. For example if I write



I want it to display it as a text and not alert the "Hello! I cheated". Whats the easiest way of doing it?

Thanks in advance.
 
Marshal
Posts: 67275
170
Mac Mac OS X IntelliJ IDE jQuery Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
That greatly depends on how you are "displaying it as text" in the first place. You have given us no information on how this text is handled once it is input by the user, so how can we help without that information?
 
Fawad Ali
Ranch Hand
Posts: 117
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
I did not get what you meant but let me try to make it more clear (Forgive me for my little understanding). I have a text area where user can enter his interests. This field is saved to the database as it is and on the profile page, the user's interests are displayed from the database. Now pitfall is when a user cheats the system and writes some kind of javascript code. That will be saved to the database as it is. When I try to render the profile page, it will also execute the cheated js code. I dont want that to happen. I dont want the user to write his js code into the text area. One way of solving this is to look for a script tag and convert the and to and before saving it to the database, but I want to avoid that lengthy process.

I hope its better explained now.

Thanks for your previous reply.
 
Bear Bibeault
Marshal
Posts: 67275
170
Mac Mac OS X IntelliJ IDE jQuery Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Fawad Ali wrote:When I try to render the profile page,


This is the part you haven't explained.

How is the rendering taking place? JavaScript? JSP? PHP? ColdFusion? Fred's Fabulous Framework? Magic?
 
Author and all-around good cowpoke
Posts: 13078
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

but I want to avoid that lengthy process.



You are jumping to a conclusion which is very suspect. Using the java.util.regex Pattern like this:


You can replace all instances of < in a String tmp with


This is actually quite fast, much faster than all the other stuff going on in your app.

Bill
 
Bear Bibeault
Marshal
Posts: 67275
170
Mac Mac OS X IntelliJ IDE jQuery Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
But, I would not perform any changes to the data before storing it. I'd just covert it upon display. Otherwise, display considerations are polluting the Model.
 
Fawad Ali
Ranch Hand
Posts: 117
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Bibeault:
I am displaying the data through java script-lets and some jQuery plugins like flexigrid etc use the data as json objects. So I return that data as json too.

Bill:
By length, I meant that I had to do this on each and every input field in my application. I am actually inquiring if there is some kind of form attribute or a js function which could do it for me generically, then that would have been great, otherwise I will have to follow your solution.
 
Bear Bibeault
Marshal
Posts: 67275
170
Mac Mac OS X IntelliJ IDE jQuery Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Scriptlets? In 2011? :shock:

If you were to use the JSTL, as modern JSPs should, simply using <c:out> will properly HTML-escape the text upon display without you having to do a single other thing.
 
Bear Bibeault
Marshal
Posts: 67275
170
Mac Mac OS X IntelliJ IDE jQuery Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
For anything that you need to convert on the client side, a simple JavaScript regex will easily escape the characters.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!