User not logged in - login - register
Home Calendar Books School Tool Photo Gallery Message Boards Users Statistics Advertise Site Info
go to bottom | |
 Message Boards » » alternative to iframe Page [1]  
rynop
All American
829 Posts
user info
edit post

The site I'm working on allows users to submit some html during a form submission. That html is then displayed in a template page of mine. Problem is when people do not submit valid html, it can sometimes throw the look of my site (for example the introduce a <div> but dont close it). My quick solution was to create an iframe, that fits seamlessly into my template, and have the users data displayed in it.

Using the iframe brings up a bunch of other stuff that I do not like, so was wondering if anyone else has run into this problem, and how did they get around it?

I'm using fckEditor for the user input, so thats how some html gets into the post. I know I could completely disallow html, but trying to avoid that. Also was thinking I could use some html DTD to validate the html, but I am not sure how to fix up the html if I find a problem.

thx

3/3/2008 7:37:56 PM

gs7
All American
2354 Posts
user info
edit post

The alternative? You have to parse their submission for tags that open and look for a tag that closes, if there isn't one, add the appropriate closing tag. In other words, you're thinking for them. Most bulletin board systems have this built in nowadays if you wanted to look at how they did it and modify it for your site.

3/3/2008 7:41:45 PM

rynop
All American
829 Posts
user info
edit post

I think I found out what was wrong. fckeditor does the tag completion - my database table was just not setup to hold the large amount of data that was submitted, so it got cut off before the </div> close.

[Edited on March 3, 2008 at 7:52 PM. Reason : not]

3/3/2008 7:52:06 PM

qntmfred
retired
40726 Posts
user info
edit post

Watch out for xss

3/3/2008 8:22:11 PM

Rat
Suspended
5724 Posts
user info
edit post

xslt FTL

3/3/2008 8:27:23 PM

Metricula
Squishie Enthusiast
4040 Posts
user info
edit post

possible security hole. cross server scripting attack GO!

3/3/2008 8:32:04 PM

rynop
All American
829 Posts
user info
edit post

update: I'm gonna use html tidy along with some sanitation classes my framework provides to scrub the user posted data.

my app is php based, and php interfaces nicely with html tidy - for anyone interested: http://us.php.net/manual/en/ref.tidy.php.

[Edited on March 5, 2008 at 4:49 PM. Reason : phptidy]

3/5/2008 4:47:56 PM

ncsuboy911
Suspended
240 Posts
user info
edit post

you got a . at the end of the link
http://us.php.net/manual/en/ref.tidy.php

3/5/2008 4:51:19 PM

rynop
All American
829 Posts
user info
edit post

^thx. 1 more thing that was not straightforward. I use ubuntu server. Doing google search to find out how to install tidy for php5 on ubuntu gives misleading results. ubuntu 7.10 has a php5-tidy package. all you have to do is install that pkg and restart apache. hope this helps someone.

3/5/2008 5:16:04 PM

 Message Boards » Tech Talk » alternative to iframe Page [1]  
go to top | |
Admin Options : move topic | lock topic

© 2024 by The Wolf Web - All Rights Reserved.
The material located at this site is not endorsed, sponsored or provided by or on behalf of North Carolina State University.
Powered by CrazyWeb v2.39 - our disclaimer.