SitePoint Sponsor

User Tag List

Results 1 to 6 of 6

Hybrid View

  1. #1
    ♪♪ ♪ ♪ ♪ ♪♪ ♪ ♪♪ Markdidj's Avatar
    Join Date
    Sep 2002
    Location
    Bournemouth, South UK
    Posts
    1,551
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    position of cursor in text box.

    I am using a form, onkeyup and innerHTML to display what has been typed into a text box.

    I used..

    function formcheck() {
    lettercount=document.formname.email.value.length
    if(document.formname.email.value.charAt(lettercount-1)=="<"){alert()}}

    This sent an alert if someone tries to type '<' in a form to start a HTML command.

    This could be used for instant form validation on the client side, but it only shows the alert when it is the LAST thing written in the box. If I could count the letters to the curser in the text box, then I could use this number to make sure nothing suspisious is written in the form.
    LiveScript: Putting the "Live" Back into JavaScript
    if live output_as_javascript else output_as_html end if

  2. #2
    Sultan of Ping jofa's Avatar
    Join Date
    Mar 2002
    Location
    SvÝ■jˇ­
    Posts
    4,080
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    What if the user pastes html code into the textbox?

    And what if the user types a single < (not a html tag)?

    Isn't it a better idea to do this before the form is posted?
    txt.value.replace(/<\s*(\S+)(\s[^>]*)?>[\s\S]*<\s*\/\1\s*>/gi, "");
    // remove all html tags

  3. #3
    ♪♪ ♪ ♪ ♪ ♪♪ ♪ ♪♪ Markdidj's Avatar
    Join Date
    Sep 2002
    Location
    Bournemouth, South UK
    Posts
    1,551
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    It has to be checked while the input is being written

    Thanks Jofa, but I would prefer to check the input while it is being written, although that's handy for final check.

    function newdesc(thisdesc) { document.getElementById("moshe").innerHTML=thisdesc }

    is it possible to write it in the description changing function above? had a few goes, but my combo's didn't work.

    Thanks
    LiveScript: Putting the "Live" Back into JavaScript
    if live output_as_javascript else output_as_html end if

  4. #4
    ♪♪ ♪ ♪ ♪ ♪♪ ♪ ♪♪ Markdidj's Avatar
    Join Date
    Sep 2002
    Location
    Bournemouth, South UK
    Posts
    1,551
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    Its OK, I used this.....

    I found this works.....

    function formcheck() {
    lettercount=document.formname.email.value.length
    for(i=0;i<lettercount;i++)
    if(document.formname.email.value.charAt(i)=="<"){alert()}}

    what other symbols would I need to check to make it more secure?

    Thanks
    LiveScript: Putting the "Live" Back into JavaScript
    if live output_as_javascript else output_as_html end if

  5. #5
    Sultan of Ping jofa's Avatar
    Join Date
    Mar 2002
    Location
    SvÝ■jˇ­
    Posts
    4,080
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I still think the best method is using a regexp to remove the html tags
    Just because the typed character is a "<" doesn't mean the user is trying to enter html code

    An alternative method is this one:
    http://www.htmlgoodies.com/stips/scripttip80.html

  6. #6
    ♪♪ ♪ ♪ ♪ ♪♪ ♪ ♪♪ Markdidj's Avatar
    Join Date
    Sep 2002
    Location
    Bournemouth, South UK
    Posts
    1,551
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    can I use this regexp before submiting (ie onkeyup)

    Jofa, once again my descriptions appear AS THEY ARE WRITTEN by the user.

    if the forms output is written to the innerHTML onkeyup, then when I write....
    <img src=mypic.gif> into the form, WITHOUT SUBMITTING it will put the picture into the innerHTML, which I do not wish to happen.

    Using this method I could allow certain HTML tags through, like <br> to allow the user limited functions when writing there own description.

    I like the look of this program that you sent, with the replace, but I'm not used to form validation. Can I combine the two

    txt.value.replace(/<\s*(\S+)(\s[^>]*)?>[\s\S]*<\s*\/\1\s*>/gi, "");

    with an event

    I tried to trigger the replace with onkeyup, but couldn't get it to work on a defined piece of text.

    as for not allowing "<". Who would want to write it in an e-mail address or name input? In fact, none of my forms would require, want or need the "<" symbol.

    So if anyone typed a "<" it would be disallowed, therefore stopping people writting a complete HTML tag. (although using the same method some could be allowed....<font>, <i>, <b>) Will other program commands work from a form input, ie javascript, php?
    will they need a "<"script> command to run?

    will any of them work inside HTML on there own?
    LiveScript: Putting the "Live" Back into JavaScript
    if live output_as_javascript else output_as_html end if


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •