How can i deactivate paste in a rich text edit box ?

"Seth Russell" <ru**********@g mail.com> writes:

I'm running Kevin Roth's rte box
I don't know what it is, but it probably doesn't work in my browser
anyway ... checking ... well, at least I can write HTML in it.
and i want to deactivate the ability to past inside the box. People
sometimes paste outrageous things in there that might break my site.
How can I deactivate the ability to paste?

That's probably not the best way to solve the problem. Pasting is
a useful operation, and disabling it will be guaranteed to annoy
some users eventually. Also remember, anything that can be pasted,
can also be written manually, so if someone wants to break your
site, they still can (or if need be, they'll fake a HTTP POST
of the bad content).

If your application has a problem with malformed input, it should
scan for exactly that, on the server, before using the input for
anything else.

That is general princliple in client/server programming on the
internet ... don't trust the client. The responsibility for preventing
site breakage should lie in a place that you can trust, which means
the server.

/L
--
Lasse Reichstein Nielsen - lr*@hotpop.com
DHTML Death Colors: <URL:http://www.infimum.dk/HTML/rasterTriangleD OM.html>
'Faith without judgement merely degrades the spirit divine.'

>I don't know what it is, but it probably doesn't work in my browser

anyway ... checking ... well, at least I can write HTML in it.
Not in my version of it, i suppressed the "look at html" check box.
Did the wysiwyg not work in your browser? Which browser is that?
Also remember, anything that can be pasted,
can also be written manually,
Not really, you can't write HTML (in my version)
If your application has a problem with malformed input, it should
scan for exactly that, on the server, before using the input for
anything else.

Yes, yes ... care to point me to a routine in php that does that.
Needs to
* disallow all scripts
* disallow broken html - this is going out on a atom \ Rss feed and
needs to be perfect XHTML

Seth Russell

PS: What i really want it to do is to strip all HTML just from the
paste input. It should function just exactly like the box here at
Google Groups. I want just what you get if you select all on a web
page and go to word pad and paste.

Seth Russell

Seth Russell wrote:

Not really, you can't write HTML (in my version)
right. You're sending the user a program - a javascript program - and
saying, "please run this and send me the results." Then when you get
the results, you just assume that they are correct? Why? Because the
user was nice and ran your javascript program?

See, the thing is, a person can create their own little web page with a
form in it that submits to *your* page. Do you understand? The kind
of person that you're worried about, the kind of person who'd cut and
paste HTML, is certainly the kind of person who is technically capable
of this simple task.

You *have* to check the input. You have to. It's not optional. It's
not a nice thing that you'll do later, after you get the rest of the
application working. You have to do it now. Checking the input is
more important that the user interface. It's more important than that
rich-text edit box. Whatever it is that you're developing, it will
NEVER be secure until you check and correct the input.

I'm sorry, but this is web programming 101. It's really something that
you need to understand before you even get started.
Yes, yes ... care to point me to a routine in php that does that.

When you say, "yes, yes" it kind of sounds like you're blowing the guy
off. He gave you good advice. You need to listen to it. Stop
whatever you're doing and fix the input on the server side.

For starters, you could remove all less-than signs.

> You *have* to check the input. You have to. It's not optional. It's

not a nice thing that you'll do later, after you get the rest of the
application working. You have to do it now. Checking the input is
more important that the user interface. It's more important than that
rich-text edit box. Whatever it is that you're developing, it will
NEVER be secure until you check and correct the input.

Ok, I got it. I guess i suspected this all along and just needed
somebody with experience to tell me. Thanks.

Sorry if it sounded like i was blowing Nielsen off, I really do need
this to find a good sanatizer. Problem is finding a good one and
finding the correct point in the program to execuite it. Obviously i
cannot do the same sanatizing to the output of the RTE box that is
submitted to me that i do to the imput from the paste otherwise i would
loose all the rich text markup.

Prob is I'm pretty ok with php, but javascript is a foreign language
that i am just now learning. How can i preprocess the data comming
into the RTE box from the client's clipboard ? Then where is there a
good checking routine for the final output from the RTE box ?

Thanks for your help ...

Seth Russell

"Seth Russell" <ru**********@g mail.com> writes:

I don't know what it is, but it probably doesn't work in my browser
anyway ... checking ... well, at least I can write HTML in it.
Not in my version of it, i suppressed the "look at html" check box.
Did the wysiwyg not work in your browser? Which browser is that?

Opera. It doesn't have formatted text input functionality. I don't
know if any browser except IE and Mozilla-based ones have such a
proprietary feature.
Yes, yes ... care to point me to a routine in php that does that.
Needs to
* disallow all scripts
* disallow broken html - this is going out on a atom \ Rss feed and
needs to be perfect XHTML

I'd go the safer way and choose what to allow, not what to deny.
Any text formatting tags should be retained (b, i, u, em, strong,
br, perhaps even p). No attributes should be allowed (no event
handlers or style attributes[1], and the rest doesn't really matter
then). If any of these elements are not closed, it's not a big deal,
but you could count starts and ends add missing ends.

So in Javascript, I would do something like:
---
// list of allowed tagnames
var allowed = ['b','i','u','em ','strong','br'];
// RegExp matching tag
var tagRE = /(.*?)(<(/?)(\w+)\b[^>]*>|$)/g;
// RegExp matching alloweed
var validRE = new RegExp("^("+all owed.join("|")+ ")$");

// replace all non-allowed tags and make sure all allowed tags are closed
function sanitize(html) {
// stack of open tags
var open = [];
// foreach tag, replace with ...
return html.replace(ta gRE, function(_, before, tag, end, name) {
// escape < and & in non-tag text.
before = before.replace(/&/g,"&amp;").repl ace(/</g,"&lt;")
if (name) { // contains a tag - not end of string
if (validRE.test(n ame)) { // allowed tag
if (!end) { // allowed start tag
open.push(name) ;
return before+"<"+name +">";
} else { // allowed end tag
var result = [before];
var top;
while (top = open.pop()) {
result.push("</",top,">")
if (top == name) { break; }
}
return result.join("") ;
}
} else { // unallowed tags.
return before;
}
} else { // end of string
result = [before];
while(open.leng th > 0) {
result.pop("</",open.pop(),"> ");
}
return result.join("") ;
}
});
}
---
I.e., pick out tags and in-between text, escape all "<" and "&" in text,
remove all unallowed tags, remove all attributes from allowed tags,
and close all open tags correctly (remove incorrect closing tags).

While this might not give exactly what an author intended for some
invalid HTML, he really has only himself to blame :)

I have no idea how to convert this to PHP, but a competent PHP'er will
probably know how.
/L

[1] Yes, style elements can be dangerous too (works in, at least, IE):
<b style="backgrou nd-image:
url(javascript: document.locati on.href='http://mysexsite.examp le.com/')">
--
Lasse Reichstein Nielsen - lr*@hotpop.com
DHTML Death Colors: <URL:http://www.infimum.dk/HTML/rasterTriangleD OM.html>
'Faith without judgement merely degrades the spirit divine.'

Lasse Reichstein Nielsen wrote:

So in Javascript, I would do something like:

My question is, what good is javascript in this situation? He still
has to check the input on the server side, before he puts it in his
database. He's got to do it in php.

"ch************ ****@gmail.com" <ch************ ****@gmail.com> writes:

Lasse Reichstein Nielsen wrote:

So in Javascript, I would do something like:
My question is, what good is javascript in this situation?

It's a functional description of an algorithm in a language that is
on-topic for this newsgroup. It might even be used on the client side
to preview what the final result will be, for non-malicious users.
He still has to check the input on the server side, before he puts
it in his database. He's got to do it in php.

Agree completely that it has to be used server side, in whatever
language the server side uses (which could be Javascript, but the
orginal poster appears to use PHP).

It's easier to translate an existing function into a new language than
to write one from scratch, and with a javascript version (as opposed
to a pseudocode description), you can even test that the translation
gives the same results.

/L
--
Lasse Reichstein Nielsen - lr*@hotpop.com
DHTML Death Colors: <URL:http://www.infimum.dk/HTML/rasterTriangleD OM.html>
'Faith without judgement merely degrades the spirit divine.'

I understand.