tags:

views:

70

answers:

4
+1  Q: 

JavaScript - Detect HTML

Hello,

I have an HTML textarea element. I want to prevent a user from entering any HTML tags in this area. How do I detect if a user has entered any HTML a textarea with JavaScript?

Thank you

A: 

firstly, bear in mind that you'll need to re-validate on the server side, since anyone can fake a http post, and if they have javascript disabled then of course you have no control :)

what i'd do is

<textarea onkeypress="disableHtml(this);" name="text"></textarea>

and for the javascript

function disableHtml(element) {
  element.value = element.value.replace(/[<>]/g, '');
}

another way to do this would be to replace < and > with &lt; and &gt; on the server side, which is the better way because it's secure and people can still frown >:)

[edit : you can make the regexp as clever as you like, if you want to only detect certain tags for instance]

oedo  2010-04-13 17:41:24
This will still leave the body of the HTML element — element name and attributes, etc. in cases where someone pasted in some markup.
Robusto  2010-04-13 17:44:22
yep but it won't be valid html so it doesn't matter. server-side sanitisation is definitely the best policy anyway
oedo  2010-04-13 17:47:04
This is a terrible method. As @robusto said but @odea ignored, simply pasting and submiting will get around this method.
Coronatus  2010-04-13 17:52:08
there is no client-side method to avoid getting around it 100%. that's why i've continually advocated server-side stuff. @robusto said, if i understand, that if someone pastes in <a name="hi"> then it will still show a name="hi" without the < and >, that's all. or did i misunderstand you, robusto?
oedo  2010-04-13 17:53:55
Server side validation is the best practice possible... If you're practicing client-side validation, why can't I just write a webpage to send you my username as `' DELETE * FROM * '`? [or in your case, </div></span></a></div></span></a></body></html><script> window.location="viruses.com"; </script>
ItzWarty  2010-04-13 17:56:03
This is definitely unsafe against XSS.
BalusC  2010-04-13 17:58:14
what's with all the downvotes? the solution does what OP wanted - to prevent people from entering any HTML tags in the textarea. i've also strongly suggested that they investigate a server-side solution as a safer method.
oedo  2010-04-13 17:59:57
I have to -1 this, it's a horrendous solution. Aside from the reasons mentioned here (that this will only replace the `<` and `>` sign), imagine if someone enters `3 is > 1 but < 5`. The result is `3 is 1 but 5`
Andy E  2010-04-13 18:00:44
@oedo: downvotes are used for a number of reasons and shouldn't really be taken personally. The solution you provided is flawed in many ways and should not be implemented at all.
Andy E  2010-04-13 18:03:43
+3  A: 

One of the ways is to let the keypress event return false when the pressed key matches < or >. To distinguish real HTML tags from innocent "lesser than" and "greater than" signs, you may need to put some regex in. And since you can't parse HTML reliably with regex... There's however a jQuery way:

var sanitized = $('<div>').html(textareavalue).text();

The normal practice is however to just let the client enter whatever it want and sanitize HTML during display by the server side view technology in question. How to do it depends on the view technology you're using. In for example PHP you can use htmlspecialchars() for this and in JSP/JSTL the fn:escapeXml(). This is more robust since Javascript can be disabled/hacked/spoofed by the client.

BalusC  2010-04-13 17:42:41
you also sanitize (in a different way) before saving to a database.
Adriano Varoli Piazza  2010-04-13 17:49:43
Yes, against [SQL injections](http://en.wikipedia.org/wiki/SQL_injection).
BalusC  2010-04-13 18:13:37
bobince  2010-04-13 18:25:57
+1  A: 

You can use a regular expression, like

if ( textArea.value.match(/<\/*[a-z][^>]+?>/gi) ) {
  // do something about it
}

where "textArea" is the ID of your textarea element.

Robusto  2010-04-13 17:43:08
+1  A: 

What can you consider as HTML tags? Is <b> a tag? What about the middle characters in I <3 how 5 is > 4?

I think you should not limit users with your strictness. Don't be a Steve Jobs.

Coronatus  2010-04-13 17:44:19

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?