I'm going through old emails I hadn't read, sorry it's taken so long to
respond.
On Thu, 3 Mar 2005 16:07:05 -0500, Mike Chabot
[EMAIL PROTECTED] wrote:
I am saying that if the user tries to enter b tags to make text
bold, he is going to be disappointed because the HtmlEditFormat tag
Another to this problem is to use a non-HTML markup languages like
BBML or something. Then there's no posibility for evil, but you do
need a BBML parser (though I know at least one CFML implementation
exists).
Another route would be to explicitly allow stuff you DO want, rather
than denying
The two ways I've handled this in the past:
#1 - use BBML. CFMBB (www.cfmbb.org) includes a parseBBML udf that I
converted from a custom tag written by the dude who runs the depressed
press. The nice thing about the BBML parser is that it someone uses a
[b] but not [/b], then the opening
I'm going through old emails I hadn't read, sorry it's taken so long to
respond.
On Thu, 3 Mar 2005 16:07:05 -0500, Mike Chabot
[EMAIL PROTECTED] wrote:
I am saying that if the user tries to enter b tags to make text
bold, he is going to be disappointed because the HtmlEditFormat tag
Below is a function for displaying text, entered by users in form
fields, in HTML format to someone else. Can this code be improved?
This code assumes the user is not allowed to enter HTML markup in the
text fields.
function friendlyHtml(argStr) {
argStr=htmlEditFormat(argStr);
This code assumes the user is not allowed to enter HTML markup in the
text fields.
By this you mean that the submitted data is checked for HTML content
via another means? Because the way you said it (the form field itself
prevents HTML from being entered) isn't secure.
cheers,
barneyb
On
I am saying that if the user tries to enter b tags to make text
bold, he is going to be disappointed because the HtmlEditFormat tag
basically wipes out all HTML.
If I wanted to allow limited HTML, I would have to scan the string for
all potentially dangerous tags, which I belive would be less
If you want the user to enter basic formatting commands, you can adopt the
aproach many discussion boards use...
tell the user to use you special tags
[b] [/b] for bold etc.
You define the tags...they use themwhen you display the data later you
parse out those tags and replace with valid
On Thu, 3 Mar 2005 16:07:05 -0500, Mike Chabot [EMAIL PROTECTED] wrote:
I am saying that if the user tries to enter b tags to make text
bold, he is going to be disappointed because the HtmlEditFormat tag
basically wipes out all HTML.
If I wanted to allow limited HTML, I would have to scan
9 matches
Mail list logo
