Do you want to allow some markup ?
Possible options are :
- use HTMLEncode, this way *all* markup will be considered as text and will
be just displayed (you could still recognize http scheme and add the link
yourself)
- if you want still to allow some code but not all you'll have to check the
input for sanity. Try Googling for "html sanitizer". I would recommend a
white list approach (i.e. rather than searching what is dangerous, all is
dangerous expect what you allowed). Also be aware of cases such as putting
javascript
: in an src attribute which could perhaps run on some browser...
- AFAIK some are using special tags such as found in wikis. This way you
don't allow any HTML markup but still users are able to do some formatting
#3 would be likely my personal preference i..e comments are NOT html markup
still [
http://www.mysite.com] or [
http://mmy.site.com/myimage.png] could be
turned into a "a" and "img" tag but safely and used with explicit user
consent by clicking on the link. It is likely easier than avoiding to
introduce possisbly exploits in the allowed HTML markup.
--
Patrice
"Anton" <no_email> a écrit dans le message de
news:%(E-Mail Removed)...
> hi
>
> I'm creating a website where people can posts comments etc, i fear that
> someone can post script into the comment field and the script will
> redirect the user to a different website - hijacking my website..
>
> not sure how to avoid this
>
> I know it some kind of test I should do on what the user types into the
> comment field, but not sure how to do that test
>
> any ideas?
>
Similar Threads
