tags:

views:

98

answers:

2
+1  Q: 

Sanitize input for code blog

I have a code blog in which I have a user input form for submissions. Whatever goes in that form will appear on one of the pages. Now this is a coding blog, so I don't want to strip any HTML tags or javascript code from the input, but I don't want it to executed at any point. What is the best way to render any input harmless? Is replacing < by &lt; and > by &gt; enough?

(for info, the sever will be GAE, the input will be passed around (but never evaluated) in python variables, and stored in a TextProperty)

+1  A: 

Yes, replacing < and > should be enough

Charlie Somerville  2009-10-06 12:11:55
A: 

The best bet would be to simply escape those values on the back-end for safe input into your storage engine and output them using HTML entities so that they are displayed as code.

Jeff Ober  2009-10-06 12:14:00

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?