473,847 Members | 1,505 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

How can i deactivate paste in a rich text edit box ?

I'm running Kevin Roth's rte box and i want to deactivate the ability
to past inside the box. People sometimes paste outrageous things in
there that might break my site. How can I deactivate the ability to
paste?

see: http://www.kevinroth.com/rte/demo.htm

Thanks for your help
Seth Russell

Sep 21 '05 #1
14 2864
"Seth Russell" <ru**********@g mail.com> writes:
I'm running Kevin Roth's rte box
I don't know what it is, but it probably doesn't work in my browser
anyway ... checking ... well, at least I can write HTML in it.
and i want to deactivate the ability to past inside the box. People
sometimes paste outrageous things in there that might break my site.
How can I deactivate the ability to paste?


That's probably not the best way to solve the problem. Pasting is
a useful operation, and disabling it will be guaranteed to annoy
some users eventually. Also remember, anything that can be pasted,
can also be written manually, so if someone wants to break your
site, they still can (or if need be, they'll fake a HTTP POST
of the bad content).

If your application has a problem with malformed input, it should
scan for exactly that, on the server, before using the input for
anything else.

That is general princliple in client/server programming on the
internet ... don't trust the client. The responsibility for preventing
site breakage should lie in a place that you can trust, which means
the server.

/L
--
Lasse Reichstein Nielsen - lr*@hotpop.com
DHTML Death Colors: <URL:http://www.infimum.dk/HTML/rasterTriangleD OM.html>
'Faith without judgement merely degrades the spirit divine.'
Sep 21 '05 #2
>I don't know what it is, but it probably doesn't work in my browser
anyway ... checking ... well, at least I can write HTML in it.
Not in my version of it, i suppressed the "look at html" check box.
Did the wysiwyg not work in your browser? Which browser is that?
Also remember, anything that can be pasted,
can also be written manually,
Not really, you can't write HTML (in my version)
If your application has a problem with malformed input, it should
scan for exactly that, on the server, before using the input for
anything else.


Yes, yes ... care to point me to a routine in php that does that.
Needs to
* disallow all scripts
* disallow broken html - this is going out on a atom \ Rss feed and
needs to be perfect XHTML

Seth Russell

Sep 21 '05 #3
PS: What i really want it to do is to strip all HTML just from the
paste input. It should function just exactly like the box here at
Google Groups. I want just what you get if you select all on a web
page and go to word pad and paste.

Seth Russell

Sep 21 '05 #4

Seth Russell wrote:

Not really, you can't write HTML (in my version)
right. You're sending the user a program - a javascript program - and
saying, "please run this and send me the results." Then when you get
the results, you just assume that they are correct? Why? Because the
user was nice and ran your javascript program?

See, the thing is, a person can create their own little web page with a
form in it that submits to *your* page. Do you understand? The kind
of person that you're worried about, the kind of person who'd cut and
paste HTML, is certainly the kind of person who is technically capable
of this simple task.

You *have* to check the input. You have to. It's not optional. It's
not a nice thing that you'll do later, after you get the rest of the
application working. You have to do it now. Checking the input is
more important that the user interface. It's more important than that
rich-text edit box. Whatever it is that you're developing, it will
NEVER be secure until you check and correct the input.

I'm sorry, but this is web programming 101. It's really something that
you need to understand before you even get started.
Yes, yes ... care to point me to a routine in php that does that.


When you say, "yes, yes" it kind of sounds like you're blowing the guy
off. He gave you good advice. You need to listen to it. Stop
whatever you're doing and fix the input on the server side.

For starters, you could remove all less-than signs.

Sep 21 '05 #5
> You *have* to check the input. You have to. It's not optional. It's
not a nice thing that you'll do later, after you get the rest of the
application working. You have to do it now. Checking the input is
more important that the user interface. It's more important than that
rich-text edit box. Whatever it is that you're developing, it will
NEVER be secure until you check and correct the input.


Ok, I got it. I guess i suspected this all along and just needed
somebody with experience to tell me. Thanks.

Sorry if it sounded like i was blowing Nielsen off, I really do need
this to find a good sanatizer. Problem is finding a good one and
finding the correct point in the program to execuite it. Obviously i
cannot do the same sanatizing to the output of the RTE box that is
submitted to me that i do to the imput from the paste otherwise i would
loose all the rich text markup.

Prob is I'm pretty ok with php, but javascript is a foreign language
that i am just now learning. How can i preprocess the data comming
into the RTE box from the client's clipboard ? Then where is there a
good checking routine for the final output from the RTE box ?

Thanks for your help ...

Seth Russell

Sep 21 '05 #6
"Seth Russell" <ru**********@g mail.com> writes:
I don't know what it is, but it probably doesn't work in my browser
anyway ... checking ... well, at least I can write HTML in it.
Not in my version of it, i suppressed the "look at html" check box.
Did the wysiwyg not work in your browser? Which browser is that?


Opera. It doesn't have formatted text input functionality. I don't
know if any browser except IE and Mozilla-based ones have such a
proprietary feature.
Yes, yes ... care to point me to a routine in php that does that.
Needs to
* disallow all scripts
* disallow broken html - this is going out on a atom \ Rss feed and
needs to be perfect XHTML


I'd go the safer way and choose what to allow, not what to deny.
Any text formatting tags should be retained (b, i, u, em, strong,
br, perhaps even p). No attributes should be allowed (no event
handlers or style attributes[1], and the rest doesn't really matter
then). If any of these elements are not closed, it's not a big deal,
but you could count starts and ends add missing ends.

So in Javascript, I would do something like:
---
// list of allowed tagnames
var allowed = ['b','i','u','em ','strong','br'];
// RegExp matching tag
var tagRE = /(.*?)(<(/?)(\w+)\b[^>]*>|$)/g;
// RegExp matching alloweed
var validRE = new RegExp("^("+all owed.join("|")+ ")$");

// replace all non-allowed tags and make sure all allowed tags are closed
function sanitize(html) {
// stack of open tags
var open = [];
// foreach tag, replace with ...
return html.replace(ta gRE, function(_, before, tag, end, name) {
// escape < and & in non-tag text.
before = before.replace(/&/g,"&amp;").repl ace(/</g,"&lt;")
if (name) { // contains a tag - not end of string
if (validRE.test(n ame)) { // allowed tag
if (!end) { // allowed start tag
open.push(name) ;
return before+"<"+name +">";
} else { // allowed end tag
var result = [before];
var top;
while (top = open.pop()) {
result.push("</",top,">")
if (top == name) { break; }
}
return result.join("") ;
}
} else { // unallowed tags.
return before;
}
} else { // end of string
result = [before];
while(open.leng th > 0) {
result.pop("</",open.pop(),"> ");
}
return result.join("") ;
}
});
}
---
I.e., pick out tags and in-between text, escape all "<" and "&" in text,
remove all unallowed tags, remove all attributes from allowed tags,
and close all open tags correctly (remove incorrect closing tags).

While this might not give exactly what an author intended for some
invalid HTML, he really has only himself to blame :)

I have no idea how to convert this to PHP, but a competent PHP'er will
probably know how.
/L

[1] Yes, style elements can be dangerous too (works in, at least, IE):
<b style="backgrou nd-image:
url(javascript: document.locati on.href='http://mysexsite.examp le.com/')">
--
Lasse Reichstein Nielsen - lr*@hotpop.com
DHTML Death Colors: <URL:http://www.infimum.dk/HTML/rasterTriangleD OM.html>
'Faith without judgement merely degrades the spirit divine.'
Sep 21 '05 #7
Lasse Reichstein Nielsen wrote:
So in Javascript, I would do something like:


My question is, what good is javascript in this situation? He still
has to check the input on the server side, before he puts it in his
database. He's got to do it in php.

Sep 21 '05 #8
"ch************ ****@gmail.com" <ch************ ****@gmail.com> writes:
Lasse Reichstein Nielsen wrote:
So in Javascript, I would do something like:
My question is, what good is javascript in this situation?


It's a functional description of an algorithm in a language that is
on-topic for this newsgroup. It might even be used on the client side
to preview what the final result will be, for non-malicious users.
He still has to check the input on the server side, before he puts
it in his database. He's got to do it in php.


Agree completely that it has to be used server side, in whatever
language the server side uses (which could be Javascript, but the
orginal poster appears to use PHP).

It's easier to translate an existing function into a new language than
to write one from scratch, and with a javascript version (as opposed
to a pseudocode description), you can even test that the translation
gives the same results.

/L
--
Lasse Reichstein Nielsen - lr*@hotpop.com
DHTML Death Colors: <URL:http://www.infimum.dk/HTML/rasterTriangleD OM.html>
'Faith without judgement merely degrades the spirit divine.'
Sep 21 '05 #9
I understand.

Sep 21 '05 #10

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
3777
by: IkBenHet | last post by:
Hello, I found this script to create a simple rich text form (http://programmabilities.com/xml/index.php?id=17): <html> <head> <title>Rich Text Editor</title> </head> <body>
2
2999
by: VB Programmer | last post by:
I want to create an email message with a HTML body and email it out. I know how to create/send the email (for the most part.) 1. Any ideas or examples of using an ASP.NET rich text editor so that a user can edit rich text, then save the results as an HTML page (either straight to a page or into a db)? 2. How about the opposite: An HTML page the is opened up in the editor so the user can modify it (with rich text) and save it (like to...
3
3527
by: active | last post by:
I remember when I checked NewGroups for comments about the VB6 Activate event and found that many thought it was not a reliable way to keep track of which form has focus. There was enough bad press that I avoided it. I now have a project with MDI child forms and non-MDI child forms coming and going as the user selects different options. I need to know which form is the active one and thought that I could use the Activate and Deactivate...
5
1636
by: DigitalGENOcyde | last post by:
I am fairly new to working with programming so pardon my lack of knowledge, but I was hoping someone could assist me with working on a project. I am trying to make a Windows application using Visual Basic 2005 Express, and am wanting to have a menu bar with one of the drop downs being similar to that of the "Edit" drop down in most any other Windows app. I am wanting to find the code to perform such functions as Cutting, Copying and...
0
1512
by: william_dudek | last post by:
I have created a control with a rich text box, and I need to capture the paste event to do some additional work when a user pastes text. I can't do this on hte text change because Someone could possibly paste an enormous amount of data and slow the program down too much. I have the following code that catches other events on the control but not the WM_PASTE. If the WM_PASTE is not raised on the Rich Text box where can I catch it? I tried...
1
5271
by: jobs | last post by:
Is there any way to allow the pasting of images into a webform? which could then be saved into a database for retrieval?
16
11144
by: Neil | last post by:
I posted a few days ago that it seems to me that the Access 2007 rich text feature does not support: a) full text justification; b) programmatic manipulation. I was hoping that someone might know one way or the other whether that was true or not, or could point me to an article or help text that would. What I have seen so far online and in Access 2007 help seems to confirm the above. But that (or at least (b)) seems incredible that it...
2
2878
arnabc
by: arnabc | last post by:
Hi all, I am developing one online forum kind of website where users have the facility to submit there comments and to do that we r using one custom made rich text editor. So far it was fine but suddenly I discovered that one can paste a large amount of text or a Big Image in the Rich text editor which was not a desired thing because we set up a maximum limit of text one can enter and the Big image problem is that we have the option to insert...
2
5512
by: tristanlbailey | last post by:
I been scouring the Internet for an answer to my problem, and a couple of times thought I had almost found the answer, but still to no avail. I'm tying to use the Rich Edit class (riched20.dll), to display unicode text. The riched20.dll file is loaded by using the LoadLibrary function, and a Rich Edit control created with the CreateWindowEx function. The text is input into a string variable from a unicode text file. The text is then inserted...
0
9892
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
0
9734
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
10653
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
1
7888
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
5725
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
0
5915
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
4540
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
2
4129
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
3
3168
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.