NetTalk Central

Author Topic: Let user insert html text in a field is dangerous?  (Read 2904 times)

Robert Iliuta

  • Sr. Member
  • ****
  • Posts: 472
    • View Profile
    • Email
Let user insert html text in a field is dangerous?
« on: September 17, 2014, 07:59:53 AM »
Hallo,

I need to make a column of a browse xHTML (by design need to be xHtml) then i realize that the information I will display here it will be taken also from a field where user have access and can insert text or xhtml code... well user doesn't know that but I don't like this. They could inject also javascript code... Is there a way to exclude that field to be xHTML? or a script that will remove xHTML code from that field (if user put some code there) before to be saved on disk?

Thank you,
Robert

Bruce

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 11244
    • View Profile
Re: Let user insert html text in a field is dangerous?
« Reply #1 on: September 17, 2014, 09:01:32 PM »
Hi Robert,

There are 2 options in the template wherever you can "allow xHTML".
a) allow xHTML and
b) allow UNSAFE xHTML.

Basically as long as you only use the first, and not the second, you will be ok. NetTalk uses a white-list system to allow specific html elements, while preventing everything else. JavaScript is specifically unsafe and so any unsafe code will be stripped from their submission.

cheers
Bruce