capitalize first letter and strip html code
Question
I have the following html page: What I am looking to do is capitalize the first letter (which is working without any issue) and strip the textbox of any html code or any code that has a combincation of "<" "/>" ">" so user cannot insert malicious code to execute at server end.
I found a code which strips:
var StrippedString = OriginalString.replace(/(<([^>]+)>)/ig,"");
How do I add the above code to the below page so it takes care of both?
<?php
/**
* ****************************************************************************
* Micro Protector
*
* Version: 1.0
* Release date: 2007-09-10
*
* USAGE:
* Define your requested password below and inset the following code
* at the beginning of your page:
* <?php require_once("microProtector.php"); ?>
*
*
*
******************************************************************************/
$Password = 'TESTPASS'; // Set your password here
/******************************************************************************/
if (isset($_POST['submit_pwd'])){
$pass = isset($_POST['passwd']) ? $_POST['passwd'] : '';
if ($pass != $Password) {
showForm("Wrong password");
exit();
}
} else {
showForm();
exit();
}
function showForm($error="LOGIN"){
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
<html>
<head>
<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
<META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">
<title>IMC - Authentication</title>
<link href="style/style.css" rel="stylesheet" type="text/css" />
<Script>
<!--
function capitalize(form) {
value = form.value;
newValue = '';
value = value.split(' ');
for(var i = 0; i < value.length; i++) {
newValue += value[i].substring(0,1).toUpperCase() +
value[i].substring(1,value[i].length) + '';
}
form.value = newValue;
}
-->
</Script>
</head>
<body>
<center><a href="http://www.test.com"><img src="test.png" border=0 /></a></center>
<br><br><br>
<div id="main">
<div class="caption"><?php echo $error; ?></div>
<div id="icon"> </div>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post" name="pwd">
Your Name:
<table>
<tr><td><input class="text" name="name" onBlur="capitalize(this);" maxlength=12 type="text" /></td></tr>
</table>
Password:
<table>
<tr><td><input class="text" name="passwd" maxlength=8 type="password" /></td></tr>
<tr><td align="center"><br/>
<input class="text" type="submit" name="submit_pwd" value="Login" />
</td></tr>
</table>
</form>
</div>
</body>
</html>
<?php
}
?>
2 answers
solution1
1 ACCPTED 2012-09-03 19:00:28
Add newValue = newValue.replace(/(<([^>]+)>)/ig,""); before form.value = newValue;
solution2
1 2012-09-03 19:01:39
I hope you realise that any malicious user can just bypass your function completely. All I'd have to do is put capitalize=function(){} in my console and all of a sudden I can write what I want... Or I could just disable JavaScript. Either way I can send anything I like to your server.
On the server side, you should use a function like PHP's htmlspecialchars to prevent HTML from being injected into a user's browser, and while you're at it you can use ucfirst to capitalise the first letter (or ucwords for the first letter of every word).
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.