This content has been marked as final. Show 4 replies
Depending on how you desire to handle it. You can use htmlEdit() or
htmlCode() functions that will escape those characters. This will cause
the code to be displayed in the view port, rather then executed.
But if you want to even prevent that, more effort would be required.
Those would probably do the trick, but I think I'd rather prevent them from getting into the system altogether, because of the number of places that information (and thus the scripts) could be accessed, viewed, displayed, etc.
Again, if you are not concerned about stripping them, use the
HTMLEdit()/code() functions on the input into the database. Then the
escaped code is stored and will be displayed that way anywhere it is
output. A one time batch conversion will take care of anything already
I would do this, even if I was building a more sophisticated solution to
try and strip the cross-scripting code, as a default back up.
Unfortunately most of the higher level solutions require knowing how the
hackers will enter the code. And they are very clever about finding new
ways to circumvent what we develop to block them.
This simple functions that escape all code are very quick to implement
and pretty bullet proof if not the prettiest solutions. Which makes a
great last line of defense even if you do develop more elegant solutions.
look at the safetext function at cflib.org. it may or may not have what you want, but it's worth checking.