4 Replies Latest reply on Jan 22, 2007 10:40 AM by Newsgroup_User

    Javascripts being submitted

    DynamicGuyNC
      I have a number of forms (contact, eNews subscriptions, etc) where someone is entering "redirect" Javascript code in one of the fields in the form. The Javascript then wreaks havoc on my CMS or the websites themselves because when the CMS is accessed or the information is viewed by the visitors, it redirects them to another site.

      Anyone happen to know a way to keep this from happening?

      My thinking would be to write some code to check each entry for < or > which is always what these problematic Javascript codes are wrapped in.
        • 1. Re: Javascripts being submitted
          Level 7
          Depending on how you desire to handle it. You can use htmlEdit() or
          htmlCode() functions that will escape those characters. This will cause
          the code to be displayed in the view port, rather then executed.

          But if you want to even prevent that, more effort would be required.
          • 2. Re: Javascripts being submitted
            DynamicGuyNC Level 1
            Those would probably do the trick, but I think I'd rather prevent them from getting into the system altogether, because of the number of places that information (and thus the scripts) could be accessed, viewed, displayed, etc.

            Any thoughts?
            • 3. Re: Javascripts being submitted
              Level 7
              Any thoughts?

              Again, if you are not concerned about stripping them, use the
              HTMLEdit()/code() functions on the input into the database. Then the
              escaped code is stored and will be displayed that way anywhere it is
              output. A one time batch conversion will take care of anything already
              saved.

              I would do this, even if I was building a more sophisticated solution to
              try and strip the cross-scripting code, as a default back up.
              Unfortunately most of the higher level solutions require knowing how the
              hackers will enter the code. And they are very clever about finding new
              ways to circumvent what we develop to block them.

              This simple functions that escape all code are very quick to implement
              and pretty bullet proof if not the prettiest solutions. Which makes a
              great last line of defense even if you do develop more elegant solutions.
              • 4. Re: Javascripts being submitted
                Dan Bracuk Level 5
                look at the safetext function at cflib.org. it may or may not have what you want, but it's worth checking.