Preventing HTML from being posted in form?

go to cflib.org and look for a function called safetext.

This will strip out all HTML tags from "Form.Message"

-------------------------------------------------------------
<cfset content = form.message />

<cfloop condition="X=1">
<cfset pos1 = find("<",content) />
<cfif pos1 EQ 0>
<cfbreak />
<cfelse>
<cfset pos2 = find(">",content,pos1) />
<cfif pos2 EQ 0>
<cfbreak />
<cfelse>
<cfset first = left(content,pos1-1) />
<cfset last = right(content,len(content)-pos2) />
<cfset content = first & last />
</cfif>
</cfif>
</cfloop>

Mark,

That looks like an easy thing to try. I will do that. Someday when I have
time, I may work on the profanity filter, but haven't had time to figure
that out.

Kirk

"healey_mark" <webforumsuser@macromedia.com> wrote in message
news:e7cef4$m0q$1@forums.macromedia.com...
>I would also try just running the comments through the "URLEncodedFormat"
>function. This will replace the nasty characters with, well, URL Encoded
>versions instead.

I would also try just running the comments through the "URLEncodedFormat" function. This will replace the nasty characters with, well, URL Encoded versions instead:

Testing: <b>hello</b>

Notice how this forum displays the <b> instead of bolding my entry; it just converts it to & l t ; b & g t;

<!---trim & strip html from form fields--->
<cfloop index="i" list="#form.FieldNames#">
<cfset form =rereplacenocase(trim(form),'<[^>]*>','','all')>
</cfloop>

I hope that's of some use.




"kirk_" <kirk@1st.net> wrote in message
news:e71sgc$kl5$1@forums.macromedia.com...
>I have a simple guestbook that I put together myself.
>
> When people enter their name, address, comments, etc, it sends me a copy
> of what they posted, and sends them an email that thanks them for signing.
>
> If the copy that I get is out of bounds, I have a admin page that lets me
> delete the post. If the email to them bounces, then I know that they
> didn't enter a valid email and I will also delete those posts.
>
> Lately, some yahoo has posted in the comments actual code that displays a
> frame that completely covers up my guestbook and says something like
> "haha, I hijacked your board".
>
> I wish I hadn't deleted the post, because I would like to look at it now
> to see how he did it.
>
> I want to prevent anybody from posting any code in the comments field.
> What is the easiest way to do that?
>
> Thanks,
>
> Kirk
>

If your guestbook has a profanity filer (as any good one should) just add the "<" and ">" as part of that filter.

One of our client's guestbook is setup to auto-approve so long as nothing is found from within the profanity filter. If something IS found, it is held back and a notice is sent to me to review the post before it is allowed on the board. Sometimes the entry is actually ok, so this way we can approve it or delete it first.

So far, in 5 years, we haven't had any hijacking issues, and that site sees a ton of traffic every day.

---

... and the newsgroups are always behind the forums

William,

Thanks for the recommendations. The allow/deny post field is something that
I have thought about. One of my guestbook's actually has a field called
"Hide_Post", but I used it to hide old, stupid, or out of bounds posts.
This particular guestbook doesn't have that field, but it would be easy to
add.

The automatic approve that I have been using, has been working fine until
lately. I check my email quite often and usually get the out of bounds
posts off pretty quick. The problem with this last troublesome post was
that the same text that blew up the guestbook, also blew up my admin form.
The form would start to load and as soon as it would get to the bad entry,
it would load that stuff on top of the admin form.

The <pre> is a good idea that I didn't even dream of. Maybe I will try
that.

I was thinking that there is something that I can do in the entry form. I
already check to make sure that they enter a name and email and a couple of
other required fields. I was thinking that there might be a creative way to
check the comments field for html, then kick it back to the entry form with
an error saying that html is not allowed in this field. Or maybe allow it
to go through, then strip all <a href's, <div's, <img, etc... from the post.
That seems to be kind of messy though.

Thanks,

Kirk


"coderWil" <william@seiter.com> wrote in message
news:e72ipn$d4v$1@forums.macromedia.com...
>I usually add a column to the database table called 'active'. This allows
>me
> to turn off the display of an item without having to delete it.
>
> As far as keeping the person from posting code. You can change to a
> managed
> board, where it won't show until you 'approve' it. Or you can display all
> messages in their own <textarea> form area or even surround each post with
> <pre> (which will only work until someone starts their post with a closing
> <pre> and ends it with an opening <pre> as a getaround.
>
> I like jdeline's suggestion. I would add this:
>
> If the message has the opening and closing marks, then do not auto-approve
> it
> (active = 1), but wait until you approve it yourself.
>
> Hope this helps.
>

I usually add a column to the database table called 'active'. This allows me to turn off the display of an item without having to delete it.

As far as keeping the person from posting code. You can change to a managed board, where it won't show until you 'approve' it. Or you can display all messages in their own <textarea> form area or even surround each post with <pre> (which will only work until someone starts their post with a closing <pre> and ends it with an opening <pre> as a getaround.

I like jdeline's suggestion. I would add this:

If the message has the opening and closing marks, then do not auto-approve it (active = 1), but wait until you approve it yourself.

Hope this helps.

For starters, you could search for the existance of "<" and ">" within the message, and if you find them, don't post it.