0

I added this code to my site to have text sanitization:

var re = /(<([^>]+)>)/gi;
        for (i=0; i < arguments.length; i++){
        arguments[i].value=arguments[i].value.replace(re, "");
        }

But somehow people are able to use the tag and still be able to post pics on my website through the text area. Please let me know if i have the code wrong.

PS: Users were also getting away with tags as well.

Karthik
  • 25
  • 1
  • 5

2 Answers2

0

Never trust the input data. User can simply use curl or something else and send HTTP POST request with any data in body that he want to your server. Therefore have a rule to validate all data at server side before saving it to the database.

You can introduce client-side validation though to improve user experience but anyway you have to validate that input at server side when request is received.

Update:

I see that you tagged your question with php tag, so if your server-side application is written in PHP, you can use a HTML Purifier to sanitize input data and avoid XSS, etc. Also if you use some PHP framework it probably could have an own wrapper for HTML Purifier. For example Yii framework has it.

Eugene Naydenov
  • 7,165
  • 2
  • 25
  • 43
0

maybe nothing wrong ,user just disable javascript before submit.

check in server side like

 $_POST['name'] = preg_replace('/<[^>]*>/', '', $_POST['name']);

OR

 $_POST['name'] = strip_tags($_POST['name']);
JOE LEE
  • 1,058
  • 1
  • 6
  • 6