473,698 Members | 2,302 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

paste as plain text from word

Hello, i'm trying to paste copied text from word into an input box.
This text is saved into a oracle db and then used as text in another
javascript.
The problem is that using the saved text (encoded and decoded in the
db to avoid sql injection) have some special char that block the
javascript execution (i think is unicode char).

So i would like to detect and delete this char with a javascript
function (i can't disable copy and paste), cause if i paste the text
copied in word into window notepad and then i copy from notepad ad i
paste again in my form i don't have problem.

Until now i used:
re = /\$|,|`|\'|\||\\ |\!|\./g;
return str.replace(re, "");

But is impossible to put all chars; does exist any function that
detect if a char is unicode or plain text, or a paste special?

Thanks in advance
Jun 27 '08 #1
6 3315
Flyzone schreef:
Hello, i'm trying to paste copied text from word into an input box.
This text is saved into a oracle db and then used as text in another
javascript.
The problem is that using the saved text (encoded and decoded in the
db to avoid sql injection) have some special char that block the
javascript execution (i think is unicode char).

So i would like to detect and delete this char with a javascript
function (i can't disable copy and paste), cause if i paste the text
copied in word into window notepad and then i copy from notepad ad i
paste again in my form i don't have problem.

Until now i used:
re = /\$|,|`|\'|\||\\ |\!|\./g;
return str.replace(re, "");

But is impossible to put all chars; does exist any function that
detect if a char is unicode or plain text, or a paste special?

Thanks in advance
Hi,

Wouldn't it be easier to support unicode instead of trying to strip the
content?

Regards,
Erwin Moller
Jun 27 '08 #2
On 22 Apr, 11:24, Erwin Moller
<Since_humans_r ead_this_I_am_s pammed_too_m... @spamyourself.c omwrote:
Flyzone schreef:

Wouldn't it be easier to support unicode instead of trying to strip the
content?
Maybe, but is not so clean to put in the db some 'microsoft word'
trash...
However supporting the charset means? I have the string in db
urlencoded, i try

<?php
print "document.objec t.value='".urld ecode(".$string ."');";
?>

that in javascript became

document.object .value='string_ plus_chartrash
other trash
';

For what i know urldecode function in php is different from that in
javascript, so i'll need to write a urldecode function for
javascript....n ot more easy than clean the string before the db
insert..
Jun 27 '08 #3
Flyzone schreef:
On 22 Apr, 11:24, Erwin Moller
<Since_humans_r ead_this_I_am_s pammed_too_m... @spamyourself.c omwrote:
>Flyzone schreef:

Wouldn't it be easier to support unicode instead of trying to strip the
content?

Maybe, but is not so clean to put in the db some 'microsoft word'
trash...
However supporting the charset means? I have the string in db
urlencoded, i try

<?php
print "document.objec t.value='".urld ecode(".$string ."');";
?>

that in javascript became

document.object .value='string_ plus_chartrash
other trash
';

For what i know urldecode function in php is different from that in
javascript, so i'll need to write a urldecode function for
javascript....n ot more easy than clean the string before the db
insert..
Agree, I see your point.
Maybe somebody else can help. I have little experience with unicode and
JavaScript.

Regards,
Erwin Moller
Jun 27 '08 #4
Flyzone wrote:
Hello, i'm trying to paste copied text from word into an input box.
This text is saved into a oracle db and then used as text in another
javascript.
The problem is that using the saved text (encoded and decoded in the
db to avoid sql injection)
I daresay that is a wrong and therefore potentially dangerous solution. The
SQL injection attack *cannot* be prevented by storing the data encoded in
the database, but it has to take place before storing the data in the
database, when passing the arguments to the (server-side) database
modification feature, by properly escaping some delimiter characters in the
query string that could be exploited in injection code. I find it hard to
believe that the Oracle API for your programming language does not offer
something like PHP does for MySQL with mysql_real_esca pe_string().

http://php.net/mysql_real_escape_string
have some special char that block the javascript execution (i think
is unicode char).
What would "unicode char" be? See below.
So i would like to detect and delete this char with a javascript
function (i can't disable copy and paste), cause if i paste the text
copied in word into window notepad and then i copy from notepad ad i
paste again in my form i don't have problem.
ISTM your problem is that you are trying to fix the issues that have arisen
because you have been implementing a wrong and potentially dangerous
solution. And that you are apparently unable to spell the English pronoun
`I' properly.
Until now i used:
re = /\$|,|`|\'|\||\\ |\!|\./g;
Eeek.

var re = /[!$',.`|]/g;

There is no variable required anyway, you can use the RegExp literal as
argument as it is:
return str.replace(re, "");
return str.replace(/[!$',.`|]/g, "");
But is impossible to put all chars;
It is possible: /[\u0000-\uffff]/g

Depending on what you mean by "all", it may be possible to specify other
character ranges. But I think either would be unnecessary overkill here.

http://developer.mozilla.org/en/docs...ar_expressions
does exist any function that detect if a char is unicode or plain text,
or a paste special?
No. Firstly, it is a misconception of yours to believe that Unicode
characters were not plain text, and that there would be "paste specials".

Secondly, all strings are stored internally using the UTF-16LE encoding from
JavaScript 1.3, ECMAScript edition 3 forward, and so they must represent
characters in the Unicode character set. Whether some of those characters
are also part of other character sets, most notably that supported by the
7-bit US-ASCII encoding, is irrelevant.

http://en.wikipedia.org/wiki/Unicode

Thirdly, ECMAScript implementations are Unicode-safe from edition 3 forward.
That includes identifiers. So it would only be probable that your encoded
string contains characters that are interpreted as control characters like
newline in eval(), in which case you should not use eval() or escape e.g.
"\n" with "\\n", respectively.

Like I said, you should forego the idea of encoding all the information in
your database completely (unless there are further security requirements to
consider) and properly escape your storing query string instead.
HTH

PointedEars
--
Anyone who slaps a 'this page is best viewed with Browser X' label on
a Web page appears to be yearning for the bad old days, before the Web,
when you had very little chance of reading a document written on another
computer, another word processor, or another network. -- Tim Berners-Lee
Jun 27 '08 #5
On 22 Apr, 22:25, Thomas 'PointedEars' Lahn <PointedE...@we b.de>
wrote:
query string that could be exploited in injection code. I find it hard to
believe that the Oracle API for your programming language does not offer
something like PHP does for MySQL with mysql_real_esca pe_string().
I do an escape and then urlencode, and the server is internal for us,
out the
internet and without critical data.
And that you are apparently unable to spell the English pronoun `I' properly.
Ahm yes, I know I know.... sorry :P
There is no variable required anyway, you can use the RegExp literal as
argument as it is:
Was required, I just didn't told, I would like to have different var
for
differente use, like just char, just number, just specialchar :)
It is possible: /[\u0000-\uffff]/g
Gh you solved my problem, your reply is really appreciated, I have
wrong
from the beginning searching a "paste speacial" instead of thinking
about
a blur and function that use a more right regexp.
So it would only be probable that your encoded
string contains characters that are interpreted as control characters like
newline in eval()
That was the problem with javascript, but some unicode chars are
however disliked.
escape your storing query string instead.
Yes I'll do, but however I need to show at the users what they are
writing into
the form and what will be deleted.

Thank you again
Jun 27 '08 #6
Flyzone wrote:
On 22 Apr, 22:25, Thomas 'PointedEars' Lahn <PointedE...@we b.de>
wrote:
>query string that could be exploited in injection code. I find it hard to
believe that the Oracle API for your programming language does not offer
something like PHP does for MySQL with mysql_real_esca pe_string().

I do an escape and then urlencode, and the server is internal for us,
out the internet and without critical data.
Nevertheless, the approach of escaping everything obviously requires a
greater database and less efficient storage and retrieval methods than
necessary.
>So it would only be probable that your encoded
string contains characters that are interpreted as control characters like
newline in eval()

That was the problem with javascript, but some unicode chars are
however disliked.
Since Usenet works in both directions, it would be appropriate if you named
those characters so that others here can benefit from that knowledge.
>escape your storing query string instead.

Yes I'll do, but however I need to show at the users what they are
writing into the form and what will be deleted.
I don't follow.
PointedEars
--
Anyone who slaps a 'this page is best viewed with Browser X' label on
a Web page appears to be yearning for the bad old days, before the Web,
when you had very little chance of reading a document written on another
computer, another word processor, or another network. -- Tim Berners-Lee
Jun 27 '08 #7

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
1
2575
Is there tool for mark, copy and paste HTML code directly from browser?
by: Wladimir Borsov | last post by:
I want to mark certain text on a web page in InternetExplorer and then copy and paste it into a normal text editor. With the copied text not only the pure text should be transferred but also the HTML code (e.g. <P>,<HL>,<TABLE>,CSS styles,...). Is there such a tool? No, I don't want to open the source code of the webpage through the menu view->source because searching the actual desired source part is sometimes terrible. I want a...
HTML / CSS
1
2744
Paste Special HTML
by: PaulMac | last post by:
I need to be able to copy and paste the contents of an HTML page into a field in my adp. Is this even possible? In Word I can click Paste Special, and select HTML and it copies the table just as it looks on the html page. When I try to paste into a varchar field, I don't have the option to paste special HTML, and it pastes in but loses all the formatting ie. rows and colums. actually, in word you can just select paste and it works...
Microsoft Access / VBA
3
2394
copy/paste from VS looks bad
by: Rachel Suddeth | last post by:
This may not be the right forum, but it's a problem I chiefly come across when trying to post here. When I do a copy/paste from VS, the text always looks really weird (and even if I'm in an editor that's supposed to be doing plain text, it looks like it's in a different font -- and of course you can't change the font in a plain text editor.) Then when it gets converted to actual plain text, there is a blank line stuck in between every...
C# / C Sharp
0
1763
Range.Paste fix?
by: R Reyes | last post by:
Hi. I'm trying to paste copied (or at least I think it's copied) text from an MSWord document into the SAME MSWord document (not Excel). The code is below. It works up until "PASTE TEXT". Please help and thanks in advance! // Select and copy bookmark wordBookmark = "bmSECTION_TRANSLATION"; object startSECTION_TRANSLATION = wordDocument.Bookmarks.get_Item(ref wordBookmark).Range.Start;
C# / C Sharp
17
5121
cut, copy, and paste
by: Steve | last post by:
I'm trying to code cut, copy, and paste in vb 2005 so that when the user clicks on a toolbar button, the cut/copy/paste will work with whatever textbox the cursor is current located in (I have about 20 textboxes on the form). Also to ensure that the button can't get used if the cursor isn't in a textbox field. And to ensure the contents of the clipboard are "text" contents that have been cut/copied from one of the textboxes on the form. ...
Visual Basic .NET
0
1372
Converting plain-text report files to MS Word .doc files using Word.Application
by: Shat T. Cat | last post by:
Hello, I have a program that I originally wrote in VB6 that breaks down plain-text Profit & Loss reports from my organization's Accounting system into separate files for each Cost Center (office or section). I post the output files on our local intranet web site for the managers to access. The brain surgeons at our headquarters reformatted the original reports so they don't fit on normal 8.5 x 11 inch paper. So, I wrote another little...
Visual Basic .NET
4
5434
paste text with newlines into raw_input?
by: BartlebyScrivener | last post by:
Using Python on Debian Etch. What is the best way to paste a block of text in at the command prompt. I'm trying something like: Quote = raw_input("Paste quote here: ") Which works great for one line of text with a single newline. It gets
Python
0
1134
Why does Word beep when I paste, and how can I stop it?
by: Killer42 | last post by:
Nice simple one today. Why does MS Word beep every time I paste, and how can I prevent it doing so? Apart from turning off all audio feedback, of course. Correction - every time I paste plain text from another application. It doesn't beep if I copy and paste within word.
General
0
8674
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
General
0
9157
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
C / C++
0
9028
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
Online Marketing
1
8895
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
Windows Server
0
7728
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
Career Advice
0
4369
Trying to create a lan-to-lan vpn between two differents networks
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
Networking - Hardware / Configuration
0
4619
Windows Forms - .Net 8.0
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
Visual Basic .NET
1
3046
transfer the data from one system to another through ip address
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
C# / C Sharp
2
2330
muto222
How to add payments to a PHP MySQL app.
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
PHP

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us