Using JQuery, how can I prevent users from enterin

2019-08-06 09:35发布

站内问答 / jQuery
1023 4 4

Basically, I need to be able to strip script and html from input fields before processing. I am using JQuery, and was hoping to find that there is a standard way of doing that sort of thing. Any ideas?

标签: jquery input
举报
4条回答
该账号已被封号
2楼-- · 2019-08-06 10:06

You have to do it on the server. If you do it on the client, you leave yourself open to people hand-crafting HTTP messages to send to your server, knowing that your server assumes your client code escapes the strings. So, since your server can't assume the content is safe, it has to assume that it isn't safe. (Otherwise you end up double-encoding things, and that becomes a pain.) So it's neither possible, nor appropriate, for your client-side code to do the escaping.

查看更多
0人赞 添加讨论(0) 举报
唯我独甜
3楼-- · 2019-08-06 10:07

your html:

<input class="striphtml" name="name" />

your js:

$(document).ready(function() {
  // strip all html when text in input changes
  $(".striphtml").change(function(){
      $(this).val( $(this).text() );
  });
});

Result:

<p>This is a test.</p>

will be replaced with:

&lt;p&gt;This is a test.&lt;/p&gt;

Attention: As SLaks mentioned you MUST validate your INPUTS on server side!!!

查看更多
0人赞 添加讨论(0) 举报
该账号已被封号
4楼-- · 2019-08-06 10:09

You shouldn't be doing this at all.

Instead, you should escape your content on the server.
This way, you can accept malicious input (or < characters) without being harmed by it.

查看更多
0人赞 添加讨论(0) 举报
倾城 Initia
5楼-- · 2019-08-06 10:14

Here is a great tutorial for what you need. As SLaks said, do this server side. Sanitize your input

Tutorial

You could do some regular expression work with specific characters, but that can only help a little bit.

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(4)