NetTalk Central

NetTalk Web Server => Web Server - Ask For Help => Topic started by: Robert Iliuta on September 17, 2014, 07:59:53 AM

Title: Let user insert html text in a field is dangerous?
Post by: Robert Iliuta on September 17, 2014, 07:59:53 AM: Hallo,

I need to make a column of a browse xHTML (by design need to be xHtml) then i realize that the information I will display here it will be taken also from a field where user have access and can insert text or xhtml code... well user doesn't know that but I don't like this. They could inject also javascript code... Is there a way to exclude that field to be xHTML? or a script that will remove xHTML code from that field (if user put some code there) before to be saved on disk?

Thank you,
Robert
Title: Re: Let user insert html text in a field is dangerous?
Post by: Bruce on September 17, 2014, 09:01:32 PM: Hi Robert,

There are 2 options in the template wherever you can "allow xHTML".
a) allow xHTML and
b) allow UNSAFE xHTML.

Basically as long as you only use the first, and not the second, you will be ok. NetTalk uses a white-list system to allow specific html elements, while preventing everything else. JavaScript is specifically unsafe and so any unsafe code will be stripped from their submission.

cheers
Bruce

SMF 2.0.19 | SMF © 2021, Simple Machines