tags:

views:

128

answers:

2
Q: 

negative look ahead to exclude html tags

I'm trying to come up with a validation expression to prevent users from entering html or javascript tags into a comment box on a web page.

The following works fine for a single line of text:

^(?!.*(<|>)).*$

..but it won't allow any newline characters because of the dot(.). If I go with something like this:

^(?!.*(<|>))(.|\s)*$

it will allow multiple lines but the expression only matches '<' and '>' on the first line. I need it to match any line.

This works fine:

^[-_\s\d\w&quot;'\.,:;#/&\$\%\?!@\+\*\\(\)]{0,4000}$

but it's ugly and I'm concerned that it's going to break for some users because it's a multi-lingual application.

Any ideas? Thanks!

+1  A: 

Note that your RE prevents users from entering < and >, in any context. "2 > 1", for example. This is very undesirable.

Rather than trying to use regular expressions to match HTML (which they aren't well suited to do), simply escape < and > by transforming them to &lt; and &gt;. Alternatively, find a package for your language-of-choice that implements whitelisting to allow a limited subset of HTML, or that supports its own markup language (I hear markdown is nice).

As for "." not matching newline characters, some regexp implementations support a flag (usually "m" for "multi-line" and "s" for "single line"; the latter causes "." to match newlines) to control this behavior.

The first two are basically equivalent to /^[^<>]*$/, except this one works on multiline strings. Any reason why you didn't write the RE that way?

outis  2010-04-27 21:47:37
The App's DAL already handles escaping any 'dangerous' characters but I'd rather do it in both places. I've also noticed in the past that the client side ASP.Net validators tend to choke on anything that looks like a tag so I'm trying to avoid that as well.
Remoh  2010-04-28 18:08:51
I'm aware that what I've shown so far will prevent any use of '<' and '>' and I was planning to tackle that after I get the negation working. I'll check to see if there's a multi-line flag.
Remoh  2010-04-28 18:09:41
A: 

So, I looked into it and there is a .Net 'SingleLine' option for regular expressions that causes "." to also match on the new line character. Unfortunately, this isn't available in the ASP.Net RegularExpressionValidator. As far as I can see, there's no way to make something like ^(?!.(<\w+>)).$ work on a multi-line textbox without doing server-side validation.

I took your advice and went the route of escaping the tags on the server side. This requires setting the validation page directive to 'false' but in this particular instance that isn't a big deal because the comment box is really the only thing to worry about.

Remoh  2010-04-29 02:58:50

related questions

Passing a commented, multi-line (freespace) regex to preg_match
My regex is matching too much. How do I make it stop?
Using Regex to generate Strings rather than match them
Complexity of Regex substitution
What is the most brilliant regex you've ever used?
RFC calculation in Java need help with algorithm
What did I do wrong here? [Javascript Regex]
How do you use back-references to PCREs in PHP?
Need help writing a regex statement. [PHP]
Regex and unicode
Python Regular Expressions
Question about specific regular expression
Pre-built regular expression patterns or Regex Libraries?
Parsing attributes with regex in Perl
Regex Rejecting matches because of Instr
How do I bind a regular expression to a key combination in emacs?
How do you retrieve selected text using Regex in C#?
Remove Quotes and Commas from a String in MySQL
Regular expression for parsing links from a webpage?
What are good regular expressions?
Why is this regular expression faster?
Learning Regular Expressions
How far should one take e-mail address validation?
How can I get at the matches when using preg_replace in PHP?
Regex: To pull out a sub-string between two tags in a string