[Help]Escaping input in MyCode
#1
This user has been denied support. This user has been denied support.
Hi!

I was experimenting with MyCode today and found a need to escape quotes in users input.
The reason is, that I use the users input in Javascript and quotes break the code. Additionally, some special characters could be used to perform XSS attack.

Is there a way to escape or remove quotes and other special characters from the input?

Thank you very much!
Visit blog.1llusion.info for security tips, news and much more!
Reply
#2
MyCode is a very simple method to produce HTML from BB code but it as limited as it is easy to use. You can filter which characters will be accepted by the match (to keep bad stuff out or from breaking your JavaScript) but that will also make the MyCode break and display as the code instead of the expected replacement.

To create a BB code that filters and escapes user input you will probably have to use a plugin.

Is there a way that you can separate your JavaScript from the replacement? In other words put the JS in a function and call the function with a relative value like 'this.value'?? If so, that will ensure that the JS won't break on quotes and such. I have used this technique to allow a spoiler button to display almost all characters without breaking.

Well, now I am just rambling.
Cheers.
[retired]
Reply
#3
This user has been denied support. This user has been denied support.
(2013-05-21, 03:54 AM)Wildcard Wrote: MyCode is a very simple method to produce HTML from BB code but it as limited as it is easy to use. You can filter which characters will be accepted by the match (to keep bad stuff out or from breaking your JavaScript) but that will also make the MyCode break and display as the code instead of the expected replacement.

To create a BB code that filters and escapes user input you will probably have to use a plugin.

Is there a way that you can separate your JavaScript from the replacement? In other words put the JS in a function and call the function with a relative value like 'this.value'?? If so, that will ensure that the JS won't break on quotes and such. I have used this technique to allow a spoiler button to display almost all characters without breaking.

Well, now I am just rambling.
Cheers.

I was afraid of that answer. I was thinking about separating the JS and the input too, but well, that in my eyes is a little bit messy solution so I wanted to know if there was some nicer way Smile

Thank you for the answer!

EDIT: Used the this.value method and this fixed the issue to a certain point. It is not ideal but it works.
Visit blog.1llusion.info for security tips, news and much more!
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)