Re: How can i deactivate paste in a rich text edit box ?

"Seth Russell" <russell.seth@xxxxxxxxx> writes:

> The problem i still have is that i want to send the client a checker
> (probably exactly the one you have given me above) but i don't know
> where to install it in the javascript

Why? Or, more precisely: What problem are you trying to solve by that?

Remember that in non IE/Mozilla browsers, the textarea will be just
that, a plain HTML textarea.

If you really want to do validation of the field, either do it at
submission time, or in an "onchange" handler on the textarea.

Also remember to check all fields, including both title fields,
since they can also contain malicious HTML.

> (http://fastblogit.com/add/richtext.js) that is running the RTE box
> such that it will intervene between the client's paste of their
> clipboard.

Shouldn't be possible. Pasting is just a way of adding a lot of text
without typing it one character at a time, but

> That same routine won't be applied on the output at the
> server because then it would eliminate all the nice rich text editing,
> right ?

The idea was to remove bad HTML from the input, which means that it
never gets any further.

I have now checked the site, and can see that more formatting is
allowed than what my script would let through. The colors are set
using spans with style attributes, so that should be allowed too ...
and then you can't throw away all attributes, or even all style
attributes, so a more precise filtering is needed.

What you need to remove is then, at least:
Scripts:
* all script elements.
* all intrinsic event handlers (any attribute starting with "on" should do)
* all script urls (any url starting with a protocol not http or ftp,
both in links and image elements, and in style attributes)
* any iframe or object element (could embed another page with scripts).
Malicious HTML:
* any opening or closing comment
* any closing tag not matching an opening tag (throw in a </table> and see :).
* any starting tag not closed (especially those with CDATA content,
i.e., script, style and textarea)

With those gone, I'm fairly sure there is no scripting left, and the
HTML can be contained in its div (adding </table> or </div> could otherwise
mess up the layout).

I have done some testing (as anonymous user aaaaej) which messes things
up quite badly (I think I deleted them now, or maybe the Wizzard did :).

/L
--
Lasse Reichstein Nielsen - lrn@xxxxxxxxxx
DHTML Death Colors: <URL:http://www.infimum.dk/HTML/rasterTriangleDOM.html>
'Faith without judgement merely degrades the spirit divine.'
.

Relevant Pages

  • [UNIX] Splatt Forum XSS Vulnerability in icon Posting
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Toronto-based Sunrays Technologies is now Beyond Security's representative in Canada. ... Any user can inject malicious HTML or JavaScript code whenever he creates ...
    (Securiteam)
  • Re: how to remove duplicate header line in CGI
    ... Well when I run the script on the command line I get two headers i.e ... // standard text, hidden, password, or textarea box ...
    (comp.lang.perl.misc)
  • Re: Syntax highlighting in TEXTAREA - possible?
    ... to a HTML TEXTAREA tag. ... Some browsers by now allow script to manipulate the selection in a textarea so there you can use script to select some text in the textarea. ...
    (comp.infosystems.www.authoring.html)
  • Re: calling perl from html page
    ... My script gets some text lines and parse them. ... I've written a html page that conatins a TEXTAREA and a submit button. ... How can I call my perl script from the html page? ...
    (comp.lang.perl.misc)
  • Re: [PHP] Textarea update problem
    ... Subject: [PHP] Textarea update problem ... columns by ID) and put the column contents into 3 textarea objects. ... And all in one script. ... echo $row; ...
    (php.general)