472,993 Members | 2,458 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 472,993 software developers and data experts.

& and &

How can one stop a browser from converting

&

to

& ?

We have a textarea in our system wehre a user can type in some html code
and have it saved to the database. When the data is retireved and
redisplayed it is displayed as simply &.

HTML snippet:

<TEXTAREA NAME="p_html" ROWS=6 COLS=70 ALIGN="VIRTUAL" WRAP="YES">
fred
&
&amp;
</TEXTAREA>

When displayed, the user predictably sees

fred
&
&

What workarounds are there for this - I am sure it's a problem for
others - is there a way of "escaping" the value before display?
--

jeremy

Mar 3 '06 #1
11 6278

Jeremy wrote:
We have a textarea in our system wehre a user can type in some html code
and have it saved to the database.


Users can't type "HTML code" into a <textarea> What they type _is_
plain text, which they might _intend_ to have interpreted later as if
it were HTML. To help them do this you must first convert their plain
text as entered into HTML - part of this process would be to encode
their plaintext "&" into the HTML "&amp;", probably just before storing
it.

Good variable naming in your server code will help too - try prefixing
variable with "strUserJunk", or "htmlUserJunk" as appropriate. Whenever
you see code that assigns variables with mis-matched names, be
suspicious that there's an encoding / decoding process missing.

This stuff isn't hard to do, but it does require clarity of thought and
attention to detail. It's also very important to get right (there are
some interesting attacks you can make on blogs etc. if you let users
post arbitrary chunks of HTML).

Mar 3 '06 #2
Jeremy <je********@gmail.com> wrote:
How can one stop a browser from converting

&amp;

to

& ?
You can't if the document is served as text/html.

If you want a browser to display &amp; literally in a document served as
text/html use &amp;amp;

Depending on what you need it may be possible to serve it as text/plain
in which case you can use the literal. This can also be embedded into a
document served as text/html.
We have a textarea in our system wehre a user can type in some html code
and have it saved to the database. When the data is retireved and
redisplayed it is displayed as simply &.

HTML snippet:

<TEXTAREA NAME="p_html" ROWS=6 COLS=70 ALIGN="VIRTUAL" WRAP="YES">
fred
&
&amp;
</TEXTAREA>

When displayed, the user predictably sees

fred
&
&


You haven't made it clear what this is used for, but maybe your server
side data processing needs to convert character references (not just
&amp;) that the user enters to &amp;char_ref

--
Spartanicus
Mar 3 '06 #3
In article <11*********************@p10g2000cwp.googlegroups. com>, Andy
Dingley says...
Users can't type "HTML code" into a <textarea> What they type _is_
plain text, which they might _intend_ to have interpreted later as if
it were HTML. To help them do this you must first convert their plain
text as entered into HTML - part of this process would be to encode
their plaintext "&" into the HTML "&amp;", probably just before storing
it.

Good variable naming in your server code will help too - try prefixing
variable with "strUserJunk", or "htmlUserJunk" as appropriate. Whenever
you see code that assigns variables with mis-matched names, be
suspicious that there's an encoding / decoding process missing.

This stuff isn't hard to do, but it does require clarity of thought and
attention to detail. It's also very important to get right (there are
some interesting attacks you can make on blogs etc. if you let users
post arbitrary chunks of HTML).


Yep I understand all of that. The user types &amp; into a field and
submits the form. The &amp; is stored in the database as typed by the
user. When the data is redisplayed for editing, the browser changes the
&amp; to simply &

So it really has nothing to do with variable naming and so on - the
question is how can we present back to the user the data that they
entered into the field?

--

jeremy

Mar 3 '06 #4
On Fri, 3 Mar 2006, Andy Dingley wrote:
Jeremy wrote:
We have a textarea in our system wehre a user can type in some
html code and have it saved to the database.
Users can't type "HTML code" into a <textarea>


I don't see for a moment why not. In fact I've been doing it for
ages. (Of course I would term it "markup", not "code").

And see http://www.htmlhelp.com/tools/validator/direct.html.en
for a practical use of such a thing.
What they type _is_ plain text,
What they type is text. Whether it's plain or otherwise is determined
by what the server-side process is going to use it for. There's no
way to control this: whatever they type-in, be it plain text, HTML
markup, C++ code, raw PostScript, or Linear B, gets submitted to the
server-side in accordance with the rules for forms submission. HTML
markup plays no special role in this part of the action - but it's not
for a moment excluded.

It's all about what you *do* with it when it reaches the server side.
which they might _intend_ to have interpreted later as if
it were HTML. To help them do this you must first convert their plain
text as entered into HTML - part of this process would be to encode
their plaintext "&" into the HTML "&amp;", probably just before storing
it.
*That* would certainly not be helpful if they were supplying HTML
markup.
This stuff isn't hard to do, but it does require clarity of thought
That's very true.
It's also very important to get right (there are some interesting
attacks you can make on blogs etc. if you let users post arbitrary
chunks of HTML).


Indeed; so block the raw-HTML options to untrusted contributors. But
that doesn't mean there's anything wrong in principle with the
existence of a raw-HTML option.
Mar 3 '06 #5
Jeremy wrote:
How can one stop a browser from converting

&amp;

to

& ?

We have a textarea in our system wehre a user can type in some html code
and have it saved to the database. When the data is retireved and
redisplayed it is displayed as simply &.

HTML snippet:

<TEXTAREA NAME="p_html" ROWS=6 COLS=70 ALIGN="VIRTUAL" WRAP="YES">
fred
&
&amp;
</TEXTAREA>

When displayed, the user predictably sees

fred
&
&


Easy--convert all the & to &amp; before displaying them. "&" will become
&amp; and will display as "&", and "&amp;" will become "&amp;amp;" and
will display as "&amp;".
Mar 3 '06 #6
In article <46************@individual.net>, Harlan Messinger says...


Easy--convert all the & to &amp; before displaying them. "&" will become
&amp; and will display as "&", and "&amp;" will become "&amp;amp;" and
will display as "&amp;".


Brilliant - obvious but brilliant - thanks that is all I needed.

--

jeremy
Mar 3 '06 #7
hug
Jeremy <je********@gmail.com> wrote:
In article <46************@individual.net>, Harlan Messinger says...


Easy--convert all the & to &amp; before displaying them. "&" will become
&amp; and will display as "&", and "&amp;" will become "&amp;amp;" and
will display as "&amp;".


Brilliant - obvious but brilliant - thanks that is all I needed.


If you're working in PHP see htmlentities() it'll get them all in one
swell foop and it has the speed advantage of being a builtin.

--
http://www.ren-prod-inc.com/hug_soft...action=contact
Mar 3 '06 #8
In article <s8********************************@4ax.com>, hug says...
Brilliant - obvious but brilliant - thanks that is all I needed.


If you're working in PHP see htmlentities() it'll get them all in one
swell foop and it has the speed advantage of being a builtin.


Thanks - actually working in Oracle pl/sql - 'tis a simple replace()
call.

--

jeremy
Mar 3 '06 #9
Jeremy wrote:
In article <s8********************************@4ax.com>, hug says...
Brilliant - obvious but brilliant - thanks that is all I needed.


If you're working in PHP see htmlentities() it'll get them all in one
swell foop and it has the speed advantage of being a builtin.

Thanks - actually working in Oracle pl/sql - 'tis a simple replace()
call.


Hug makes a good general point--you might need to make other conversions
too, like < and > and possibly quotation marks. Server-side applications
generally have access in some way to an HTMLEncode function that handles
all of that.
Mar 3 '06 #10
Jeremy wrote:
In article <11*********************@p10g2000cwp.googlegroups. com>, Andy
Dingley says...
Good variable naming in your server code will help too - try prefixing
variable with "strUserJunk", or "htmlUserJunk" as appropriate. Whenever
you see code that assigns variables with mis-matched names, be
suspicious that there's an encoding / decoding process missing.


So it really has nothing to do with variable naming and so on


See this article from Joel on Software to get a better idea of what Andy
was talking about.
http://www.joelonsoftware.com/articles/Wrong.html

In short, you're receiving unsafe content from the user, expecting it to
be plain text, failing to process it to make it is safe by encoding it
in HTML syntax and then outputting it directly. I suspect this will
probably be another bug if the user happens to enter this:

Hello World!</textarea>
<script>//do something evil</script>

When you include that fragment within your document and have not
processed it, the markup recieved by the browser would look something
like this:

<TEXTAREA NAME="p_html" ROWS=6 COLS=70 ALIGN="VIRTUAL" WRAP="YES">
Hello World!</textarea>
<script>//do something evil</script>
</TEXTAREA>

Also, I'm not sure what that align="virtual" attribute in your markup is
supposed to do, I've never heard of it before. Neither align nor wrap
are valid attributes of the textarea element.

--
Lachlan Hunt
http://lachy.id.au/
http://GetFirefox.com/ Rediscover the Web
http://GetThunderbird.com/ Reclaim your Inbox
Mar 7 '06 #11
In article <3s***************@news-server.bigpond.net.au>, Lachlan Hunt
says...
Jeremy wrote:
In article <11*********************@p10g2000cwp.googlegroups. com>, Andy
Dingley says...
Good variable naming in your server code will help too - try prefixing
variable with "strUserJunk", or "htmlUserJunk" as appropriate. Whenever
you see code that assigns variables with mis-matched names, be
suspicious that there's an encoding / decoding process missing.


So it really has nothing to do with variable naming and so on


See this article from Joel on Software to get a better idea of what Andy
was talking about.
http://www.joelonsoftware.com/articles/Wrong.html

In short, you're receiving unsafe content from the user, expecting it to
be plain text, failing to process it to make it is safe by encoding it
in HTML syntax and then outputting it directly. I suspect this will
probably be another bug if the user happens to enter this:

Hello World!</textarea>
<script>//do something evil</script>

When you include that fragment within your document and have not
processed it, the markup recieved by the browser would look something
like this:

<TEXTAREA NAME="p_html" ROWS=6 COLS=70 ALIGN="VIRTUAL" WRAP="YES">
Hello World!</textarea>
<script>//do something evil</script>
</TEXTAREA>

Also, I'm not sure what that align="virtual" attribute in your markup is
supposed to do, I've never heard of it before. Neither align nor wrap
are valid attributes of the textarea element.


Thanks for all your feedback on this. Andy was addressing another issue
- I guess something related t owhat I was asking about. I see and
understand the point about potentially unsafe content. This is part of
an administrative toolset used by experienced and responsible site
administrators.

--

jeremy
Mar 8 '06 #12

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

9
by: Collin VanDyck | last post by:
I have a basic understanding of this, so forgive me if I am overly simplistic in my explanation of my problem.. I am trying to get a Java/Xalan transform to pass through a numeric character...
1
by: DrTebi | last post by:
Hello, I have the following problem: I used to "encode" my email address within links, in order to avoid (most) email spiders. So I had a link like this: <a...
0
by: Thomas Scheffler | last post by:
Hi, I runned in trouble using XALAN for XSL-Transformation. The following snipplet show what I mean: <a href="http://blah.com/?test=test&amp;test2=test2">Test1&amp;</a> <a...
4
by: johkar | last post by:
When the output method is set to xml, even though I have CDATA around my JavaScript, the operaters of && and < are converted to XML character entities which causes errors in my JavaScript. I know...
8
by: Nathan Sokalski | last post by:
I add a JavaScript event handler to some of my Webcontrols using the Attributes.Add() method as follows: Dim jscode as String = "return (event.keyCode>=65&&event.keyCode<=90);"...
14
by: Arne | last post by:
A lot of Firefox users I know, says they have problems with validation where the ampersand sign has to be written as &amp; to be valid. I don't have Firefox my self and don't wont to install it only...
12
by: InvalidLastName | last post by:
We have been used XslTransform. .NET 1.1, for transform XML document, Dataset with xsl to HTML. Some of these html contents contain javascript and links. For example: // javascript if (a &gt; b)...
7
by: John Nagle | last post by:
I've been parsing existing HTML with BeautifulSoup, and occasionally hit content which has something like "Design & Advertising", that is, an "&" instead of an "&amp;". Is there some way I can get...
3
by: Tony | last post by:
I see that many pages have &amp; in querystring instead &. What is difference? Can I put page link (url) www.mysite.com/mypage.aspx?lang=EN&ID=15 or I need to write...
0
by: Aliciasmith | last post by:
In an age dominated by smartphones, having a mobile app for your business is no longer an option; it's a necessity. Whether you're a startup or an established enterprise, finding the right mobile app...
0
tracyyun
by: tracyyun | last post by:
Hello everyone, I have a question and would like some advice on network connectivity. I have one computer connected to my router via WiFi, but I have two other computers that I want to be able to...
2
by: giovanniandrean | last post by:
The energy model is structured as follows and uses excel sheets to give input data: 1-Utility.py contains all the functions needed to calculate the variables and other minor things (mentions...
4
NeoPa
by: NeoPa | last post by:
Hello everyone. I find myself stuck trying to find the VBA way to get Access to create a PDF of the currently-selected (and open) object (Form or Report). I know it can be done by selecting :...
1
by: Teri B | last post by:
Hi, I have created a sub-form Roles. In my course form the user selects the roles assigned to the course. 0ne-to-many. One course many roles. Then I created a report based on the Course form and...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 1 Nov 2023 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM) Please note that the UK and Europe revert to winter time on...
3
by: nia12 | last post by:
Hi there, I am very new to Access so apologies if any of this is obvious/not clear. I am creating a data collection tool for health care employees to complete. It consists of a number of...
0
NeoPa
by: NeoPa | last post by:
Introduction For this article I'll be focusing on the Report (clsReport) class. This simply handles making the calling Form invisible until all of the Reports opened by it have been closed, when it...
4
by: GKJR | last post by:
Does anyone have a recommendation to build a standalone application to replace an Access database? I have my bookkeeping software I developed in Access that I would like to make available to other...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.