1

so I have an HTML form using the form attributes and people can send HTML in the form fields that actually works on the page that reads the form submissions. Is there any way to disable HTML on the form?

    <h2>Request a song! (NEW)</h2>
    <form method="POST" action="<?php echo $_SERVER['PHP_SELF']; ?>"><br /> 
    Song (Artist - Song):<br /> 
    <input type="text" name="song"><br /> 
    Your Name:<br /> 
    <input type="text" name="name"><br /> 
    Comments (Shoutout requests, etc):<br /> 
    <input type="text" name="dedicated"><br /> <br /> 
    <input type="submit" onClick="javascript:clickedButton()" name="submit" value="Submit">
    </form>
Edward Nevard
  • 221
  • 2
  • 7
  • 19
  • At least you could use [strip_tags()](http://php.net/manual/en/function.strip-tags.php), you also should take a look at this one: http://stackoverflow.com/questions/4223980/the-ultimate-clean-secure-function – swidmann Feb 16 '16 at 17:20
  • There is no way to simply do it, you have to have code clean it yourself, either by having Javascript that keeps them from typing banned characters or dynamically removing those characters, or using some sort of PHP solution server-side, like `strip_tags()`. Ideally, you'd run both for safe form validation. – Aeolingamenfel Feb 16 '16 at 17:23

1 Answers1

3

  1. When some clicks submit, prevent the default from happening (form being sent to you).

  2. Instead check each input/textarea field for tags such as '<' or '>' as all html contains them. Produce an error message if the tags are present.

e.g 

$('textarea').each(function() {
   if ($(this).val().match(/<(\w+)((?:\s+\w+(?:\s*=\s*(?:(?:"[^"]*")|(?:'[^']*')|[^>\s]+))?)*)\s*(\/?)>/)) {
      alert('html found');
   }
})
Phiter
  • 14,570
  • 14
  • 50
  • 84
Pepper
  • 709
  • 1
  • 7
  • 15