I have heard a lot about hackers submitting code through
forms to jack with websites and I'm trying to avoid this without
pissing off my users. Right now I just reject a post if they use
< or >. However I'm finding users are needing to use those
Question, are using HTMLCodeFormat() or HTMLEditFormat() safe
ways of displaying user entered tags and preventing hacker scripts?
My assumption is no. Any best practice ideas on this?
you can use a rereplace() unction with a regexp to strip out
from the user's input prior to inserting it into your db.
there are several udf's over at www.cflib.org that can do
that for you.
some are general, others target specific html (like script
a very basic one would be something like:
'<[^>]*>', '', 'ALL')