Re: [WebDNA] Protect TextArea and other Input-Fields with WebDNA - Something to talk about ;)

This WebDNA talk-list message is from

2009


It keeps the original formatting.
numero = 102714
interpreted = N
texte = --Apple-Mail-3-498903182 Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Hi Frank, This is the solution which I already use. I just don't think it's elegant enough and I can't print code snippets with out destroying [xxx] and and without that the context is ruined. An example of my code below...: [include file=greps/code.inc&raw=F&the_text=[url][RemoveHTML] [the_db_text][/RemoveHTML][/url]]  [convertwords db=/databases/WordConversions.db][the_text][/convertwords] The grep is the following...: [text]the_text=[convertchars db=/databases/MyConversions.db][the_text] [/convertchars][/text][!] -- do offsite links [/!][text]the_text=[grep search=http:\/\/&replace=][text]the_text[/text][/grep][/text] [text]the_text=[grep search=\[link=([^[unurl]%5D[/unurl]]*)\]([^[unurl] %5B[/unurl]]*)\[/link\]&replace=\2] [text]the_text[/text][/grep][/text] All input is welcome... Palle On 15/06/2009, at 20.44, Frank Nordberg wrote: > Palle Bo Nielsen wrote: >> Hi all, >> How do you protect yourself from bad code submitted to a form field. >> How do you make sure that e.g. HTML can be made visible with the >> right syntax but no executable when submitted from a form field? > > I think the standard solution for webforum scripts regardless of > programming language is to strip *all* html from the input and then > add a set of custom codes for html tags that are allowed. This is > easily done in WebDNA using [RemoveHTML] and [ConvertWords]. You can > of course use the same procedure to filter out non-acceptable WebDNA > tags from the input. > > > > Frank Nordberg > http://www.musicaviva.com > > --------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us > old archives: http://dev.webdna.us/TalkListArchive/ > --Apple-Mail-3-498903182 Content-Type: text/html; charset=US-ASCII Content-Transfer-Encoding: quoted-printable
Hi = Frank,

This is the solution which I already = use. I just don't think it's elegant enough and I can't print code = snippets with out destroying [xxx] and <xxx> and without that the = context is ruined.

An example of my code = below...:

[include = file=3Dgreps/code.inc&raw=3DF&the_text=3D[url][RemoveHTML][the_db_= text][/RemoveHTML][/url]]
= 
[convertwords = db=3D/databases/WordConversions.db][the_text][/convertwords]
The grep is the = following...:

[text]the_text=3D[convertchars = db=3D/databases/MyConversions.db][the_text][/convertchars][/text][!] -- = do offsite links [/!][text]the_text=3D[grep = search=3Dhttp:\/\/&replace=3D][text]the_text[/text][/grep][/text][text= ]the_text=3D[grep = search=3D\[link=3D([^[unurl]%5D[/unurl]]*)\]([^[unurl]%5B[/unurl]]*)\[/lin= k\]&replace=3D<a = href=3D"http://\1">\2</a>][text]the_text[/text][/grep][/text]

All input is = welcome...

Palle


On 15/06/2009, at 20.44, Frank Nordberg wrote:

Palle = Bo Nielsen wrote:
Hi = all,
How do you protect = yourself from bad code submitted to a form = field.
How do you make sure = that e.g. HTML can be made visible with the right  syntax but no = executable when submitted from a form field?

I think = the standard solution for webforum scripts regardless of programming = language is to strip *all* html from the input and then add a set of = custom codes for html tags that are allowed. This is easily done in = WebDNA using [RemoveHTML] and [ConvertWords]. You can of course use the = same procedure to filter out non-acceptable WebDNA tags from the = input.



Frank Nordberg
http://www.musicaviva.com

--= -------------------------------------------------------
This message = is sent to you because you are subscribed to
the mailing list = <talk@webdna.us>.
To unsubscribe, E-mail to: = <talk-leave@webdna.us>
archives: = http://mail.webdna.us/list/talk@webdna.us
old archives: = http://dev.webdna.us/TalkListArchive/


= = --Apple-Mail-3-498903182-- Associated Messages, from the most recent to the oldest:

    
  1. Re: [WebDNA] Protect TextArea and other Input-Fields with WebDNA - Something to talk about ;) (Palle Bo Nielsen 2009)
  2. RE: [WebDNA] Protect TextArea and other Input-Fields with WebDNA - Something to talk about ;) ("Olin Lagon" 2009)
  3. Re: [WebDNA] Protect TextArea and other Input-Fields with WebDNA - Something to talk about ;) (Brian Fries 2009)
  4. [WebDNA] Protect TextArea and other Input-Fields with WebDNA - Something to talk about ;) (Palle Bo Nielsen 2009)
--Apple-Mail-3-498903182 Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Hi Frank, This is the solution which I already use. I just don't think it's elegant enough and I can't print code snippets with out destroying [xxx] and and without that the context is ruined. An example of my code below...: [include file=greps/code.inc&raw=F&the_text=[url][removehtml] [the_db_text][/RemoveHTML][/url]]  [convertwords db=/databases/WordConversions.db][the_text][/convertwords] The grep is the following...: [text]the_text=[convertchars db=/databases/MyConversions.db][the_text] [/convertchars][/text][!] -- do offsite links [/!][text]the_text=[grep search=http:\/\/&replace=][text]the_text[/text][/grep][/text] [text]the_text=[grep search=\[link=([^[unurl]%5D[/unurl]]*)\]([^[unurl] %5B[/unurl]]*)\[/link\]&replace=\2] [text]the_text[/text][/grep][/text] All input is welcome... Palle On 15/06/2009, at 20.44, Frank Nordberg wrote: > Palle Bo Nielsen wrote: >> Hi all, >> How do you protect yourself from bad code submitted to a form field. >> How do you make sure that e.g. HTML can be made visible with the >> right syntax but no executable when submitted from a form field? > > I think the standard solution for webforum scripts regardless of > programming language is to strip *all* html from the input and then > add a set of custom codes for html tags that are allowed. This is > easily done in WebDNA using [removehtml] and [convertwords]. You can > of course use the same procedure to filter out non-acceptable WebDNA > tags from the input. > > > > Frank Nordberg > http://www.musicaviva.com > > --------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us > old archives: http://dev.webdna.us/TalkListArchive/ > --Apple-Mail-3-498903182 Content-Type: text/html; charset=US-ASCII Content-Transfer-Encoding: quoted-printable
Hi = Frank,

This is the solution which I already = use. I just don't think it's elegant enough and I can't print code = snippets with out destroying [xxx] and <xxx> and without that the = context is ruined.

An example of my code = below...:

[include = file=3Dgreps/code.inc&raw=3DF&the_text=3D[url][removehtml][the_db_= text][/RemoveHTML][/url]]
= 
[convertwords = db=3D/databases/WordConversions.db][the_text][/convertwords]
The grep is the = following...:

[text]the_text=3D[convertchars = db=3D/databases/MyConversions.db][the_text][/convertchars][/text][!] -- = do offsite links [/!][text]the_text=3D[grep = search=3Dhttp:\/\/&replace=3D][text]the_text[/text][/grep][/text][text= ]the_text=3D[grep = search=3D\[link=3D([^[unurl]%5D[/unurl]]*)\]([^[unurl]%5B[/unurl]]*)\[/lin= k\]&replace=3D<a = href=3D"http://\1">\2</a>][text]the_text[/text][/grep][/text]

All input is = welcome...

Palle


On 15/06/2009, at 20.44, Frank Nordberg wrote:

Palle = Bo Nielsen wrote:
Hi = all,
How do you protect = yourself from bad code submitted to a form = field.
How do you make sure = that e.g. HTML can be made visible with the right  syntax but no = executable when submitted from a form field?

I think = the standard solution for webforum scripts regardless of programming = language is to strip *all* html from the input and then add a set of = custom codes for html tags that are allowed. This is easily done in = WebDNA using [removehtml] and [convertwords]. You can of course use the = same procedure to filter out non-acceptable WebDNA tags from the = input.



Frank Nordberg
http://www.musicaviva.com

--= -------------------------------------------------------
This message = is sent to you because you are subscribed to
the mailing list = <talk@webdna.us>.
To unsubscribe, E-mail to: = <talk-leave@webdna.us>
archives: = http://mail.webdna.us/list/talk@webdna.us
old archives: = http://dev.webdna.us/TalkListArchive/


= = --Apple-Mail-3-498903182-- Palle Bo Nielsen

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

WebCatalog for guestbook ? (1997) Weird Math and SV (1997) Nav. 4 probs with cart (1997) Editing HTML Pages w/WCAT (1998) [date] problem with %d%m%Y (1998) Sendmail Excel attachment (2003) WCS Newbie question (1997) Emailer port change (1997) Security (2002) Help! WebCat2 bug (1997) WC Database Format (1997) WebCatalog Hosting (1996) Thanks Grant (1997) Execute Applescript (1997) Removing a character (2000) Not really WebCat (1997) Summary search -- speed (1997) What am I doing wrong? (2000) [accountNum] and [math] (1997) WebCat2 - [include] tags (1997)