Restrict certain characters in textarea input?

Question

I have a textarea on a web page and I would like to make it so that people can't put certain characters like &, *, <, or > in it. Is there any way I can do it with html? If not, I can also use PHP.

Answer 1

You can create a Javascript statement that replaces all letters that are not desired with an empty string inside the textarea . For example if you wanted to restrict the characters you mentioned in your question, the following code below will be good:

<textarea rows="4" cols="50" onkeyup="this.value = this.value.replace(/[&*<>]/g, '')"></textarea>

Here is a JSFiddle : http://jsfiddle.net/81ox0vbr/6/

Answer 2

If you were using input then there are several options available to you with the type attribute, such as color, date, email, number, tel . See https://developer.mozilla.org/en/docs/Web/HTML/Element/Input .

With textarea you do not have these options. However, you can use JavaScript to listen to key events and to ignore certain key presses. See http://jsfiddle.net/tg300eef/ .

var ta = document.getElementById("ta");
ta.addEventListener(
    'keypress',
    function (e) {
        // Test for the key codes you want to filter out.
        if (e.keyCode == 60) {
            alert('No "<"!');
            // Prevent the default event action (adding the
            // character to the textarea).
            e.preventDefault();
        }
    }
);

This however does not protect you from incorrect or malicious inputs. That is, even if you use JavaScript to filter characters out of the textarea it is still trivial for a user to bypass this restriction (just turn off JavaScript, for example).

The correct way to handle user inputs that must be used in other commands -- such as an SQL query, or HTTP request, and so on -- is to use the appropriate escaping routine. This may be mysqli_real_escape_string for MySQL queries, htmlspecialchars for embedding user input in HTML, urlencode for HTTP requests, and so on. This must be done by the server because you cannot trust the client (in other words, the user) to do this for you.

Sometimes you will see stripping routines that remove special characters or terms. These can be much more difficult to get right, especially when you are trying to allow some special terms but not others. This happens often with HTML where you want to strip out things like <script> and <iframe> but leave in things such as <strong> and <h1> . Another example is allowing the user to use a subset of SQL to filter search results.

The problem with stripping is that it is likely the interpreter (of whatever language -- which you didn't write) recognizes commands or syntaxes you did not anticipate, and through those you have security vulnerabilities. This is one reason it makes sense to have restricted languages such as Markdown even though HTML can do the same and more.

Another problem with stripping is that the user may want to use special characters or phrases for other purposes, not as an instruction. For example, I may want to write 0 < x > 10 but an HTML stripper may reduce this to 0 10 unfairly.