JavaScript: stripHTML()
I am creating a form that displays data based upon the user's input. The form is done in ASP.NET and works great, but I can't seem to figure out how to apply a decent filter for html tags. If the user inputs html, or anything inbetween the < > signs, then it replaces the string. However, if the user inputs a less-than sign (<) and some words after it, without the closing greater-than sign (>), then I get an asp.net error message saying that this might be a type of xss attack on my application.
My question:
Would someone please help me edit my filter so that it blocks not only all characters inbetween the tags, but aslo if someone put something like <script as well?
Here's what I have:
var re= /<\S[^><]*>/g
for (i=0; i<arguments.length; i++)
arguments[i].value=arguments[i].value.replace(re, ".");
}```
don't use javascript to filter it because then someone can just set your function to null in their URL bar. instead use asp(never coded in asp) and find a function that checks each letter, and if its a <, then replace it with nothing.
like in php i use:
$word = str_replace("<", "", $word);
that removes all < out of $word.
why not just use a string replace for the < and > chars ?? then you'd have something like (pyseudo code)
String = String.replace('<',''); String = String.replace('>',''); (i dont do asp so im not sure how it works there, but the concept is the same)
Then you would get: input –> <harmful code here>Yay im inputing shit output-> harmful code hereYay im inputing shit
chislam wrote: don't use javascript to filter it because then someone can just set your function to null in their URL bar. instead use asp(never coded in asp) and find a function that checks each letter, and if its a <, then replace it with nothing.
like in php i use:
$word = str_replace("<", "", $word);
that removes all < out of $word.
uhh this just in, there's a function in php called strip_tags() that does a better job than what you just posted ;)