Reputation: 73
Disable Javascript execution in textarea
I have a textarea in my web application where user can enter any thing and it will save it as string in db. In case user enter some Javascript code in textarea then it will execute when we try to see it in saved data page. Is there any generic way to prevent this.
Upvotes: 0
Views: 334
Answers (1)
Reputation: 22943
You should never display input from a user without escaping it. You'd take the input the user gives you and store it as is, but when you display it again, you have to do proper escaping. Just manually stripping out <script> is not enough.
There are numerous ways of escaping content depending on the framework/platform you're using, and such functionality is probably even built into the templating solution you're using.
EDIT
I'm not familiar with the Stripes framework, but after a quick Google search this turned up: http://stripes.sourceforge.net/docs/current/javadoc/net/sourceforge/stripes/util/HtmlUtil.html
Upvotes: 1
Related Questions
- how to disable text in textarea when prompting
- Make TextArea Disabled in JS
- How to run javascript from a textarea and prevent to get warnings
- how to prevent execute the script but showing it in DOM?
- How to deactivate keypress event at textarea
- Disable javascript function while typing in textarea
- Disable textarea without jQuery?
- Disable keydown event defined by javascript in textarea and restore default behavior
- Disable keyboard shortcut in textarea
- How to stop a webpage from executing javascript that resides inside a textarea or as value to input (type text)?