By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
424,680 Members | 2,139 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 424,680 IT Pros & Developers. It's quick & easy.

paste as plain text from word

P: n/a
Hello, i'm trying to paste copied text from word into an input box.
This text is saved into a oracle db and then used as text in another
javascript.
The problem is that using the saved text (encoded and decoded in the
db to avoid sql injection) have some special char that block the
javascript execution (i think is unicode char).

So i would like to detect and delete this char with a javascript
function (i can't disable copy and paste), cause if i paste the text
copied in word into window notepad and then i copy from notepad ad i
paste again in my form i don't have problem.

Until now i used:
re = /\$|,|`|\'|\||\\|\!|\./g;
return str.replace(re, "");

But is impossible to put all chars; does exist any function that
detect if a char is unicode or plain text, or a paste special?

Thanks in advance
Jun 27 '08 #1
Share this Question
Share on Google+
6 Replies


P: n/a
Flyzone schreef:
Hello, i'm trying to paste copied text from word into an input box.
This text is saved into a oracle db and then used as text in another
javascript.
The problem is that using the saved text (encoded and decoded in the
db to avoid sql injection) have some special char that block the
javascript execution (i think is unicode char).

So i would like to detect and delete this char with a javascript
function (i can't disable copy and paste), cause if i paste the text
copied in word into window notepad and then i copy from notepad ad i
paste again in my form i don't have problem.

Until now i used:
re = /\$|,|`|\'|\||\\|\!|\./g;
return str.replace(re, "");

But is impossible to put all chars; does exist any function that
detect if a char is unicode or plain text, or a paste special?

Thanks in advance
Hi,

Wouldn't it be easier to support unicode instead of trying to strip the
content?

Regards,
Erwin Moller
Jun 27 '08 #2

P: n/a
On 22 Apr, 11:24, Erwin Moller
<Since_humans_read_this_I_am_spammed_too_m...@spam yourself.comwrote:
Flyzone schreef:

Wouldn't it be easier to support unicode instead of trying to strip the
content?
Maybe, but is not so clean to put in the db some 'microsoft word'
trash...
However supporting the charset means? I have the string in db
urlencoded, i try

<?php
print "document.object.value='".urldecode(".$string."'); ";
?>

that in javascript became

document.object.value='string_plus_chartrash
other trash
';

For what i know urldecode function in php is different from that in
javascript, so i'll need to write a urldecode function for
javascript....not more easy than clean the string before the db
insert..
Jun 27 '08 #3

P: n/a
Flyzone schreef:
On 22 Apr, 11:24, Erwin Moller
<Since_humans_read_this_I_am_spammed_too_m...@spam yourself.comwrote:
>Flyzone schreef:

Wouldn't it be easier to support unicode instead of trying to strip the
content?

Maybe, but is not so clean to put in the db some 'microsoft word'
trash...
However supporting the charset means? I have the string in db
urlencoded, i try

<?php
print "document.object.value='".urldecode(".$string."'); ";
?>

that in javascript became

document.object.value='string_plus_chartrash
other trash
';

For what i know urldecode function in php is different from that in
javascript, so i'll need to write a urldecode function for
javascript....not more easy than clean the string before the db
insert..
Agree, I see your point.
Maybe somebody else can help. I have little experience with unicode and
JavaScript.

Regards,
Erwin Moller
Jun 27 '08 #4

P: n/a
Flyzone wrote:
Hello, i'm trying to paste copied text from word into an input box.
This text is saved into a oracle db and then used as text in another
javascript.
The problem is that using the saved text (encoded and decoded in the
db to avoid sql injection)
I daresay that is a wrong and therefore potentially dangerous solution. The
SQL injection attack *cannot* be prevented by storing the data encoded in
the database, but it has to take place before storing the data in the
database, when passing the arguments to the (server-side) database
modification feature, by properly escaping some delimiter characters in the
query string that could be exploited in injection code. I find it hard to
believe that the Oracle API for your programming language does not offer
something like PHP does for MySQL with mysql_real_escape_string().

http://php.net/mysql_real_escape_string
have some special char that block the javascript execution (i think
is unicode char).
What would "unicode char" be? See below.
So i would like to detect and delete this char with a javascript
function (i can't disable copy and paste), cause if i paste the text
copied in word into window notepad and then i copy from notepad ad i
paste again in my form i don't have problem.
ISTM your problem is that you are trying to fix the issues that have arisen
because you have been implementing a wrong and potentially dangerous
solution. And that you are apparently unable to spell the English pronoun
`I' properly.
Until now i used:
re = /\$|,|`|\'|\||\\|\!|\./g;
Eeek.

var re = /[!$',.`|]/g;

There is no variable required anyway, you can use the RegExp literal as
argument as it is:
return str.replace(re, "");
return str.replace(/[!$',.`|]/g, "");
But is impossible to put all chars;
It is possible: /[\u0000-\uffff]/g

Depending on what you mean by "all", it may be possible to specify other
character ranges. But I think either would be unnecessary overkill here.

http://developer.mozilla.org/en/docs...ar_expressions
does exist any function that detect if a char is unicode or plain text,
or a paste special?
No. Firstly, it is a misconception of yours to believe that Unicode
characters were not plain text, and that there would be "paste specials".

Secondly, all strings are stored internally using the UTF-16LE encoding from
JavaScript 1.3, ECMAScript edition 3 forward, and so they must represent
characters in the Unicode character set. Whether some of those characters
are also part of other character sets, most notably that supported by the
7-bit US-ASCII encoding, is irrelevant.

http://en.wikipedia.org/wiki/Unicode

Thirdly, ECMAScript implementations are Unicode-safe from edition 3 forward.
That includes identifiers. So it would only be probable that your encoded
string contains characters that are interpreted as control characters like
newline in eval(), in which case you should not use eval() or escape e.g.
"\n" with "\\n", respectively.

Like I said, you should forego the idea of encoding all the information in
your database completely (unless there are further security requirements to
consider) and properly escape your storing query string instead.
HTH

PointedEars
--
Anyone who slaps a 'this page is best viewed with Browser X' label on
a Web page appears to be yearning for the bad old days, before the Web,
when you had very little chance of reading a document written on another
computer, another word processor, or another network. -- Tim Berners-Lee
Jun 27 '08 #5

P: n/a
On 22 Apr, 22:25, Thomas 'PointedEars' Lahn <PointedE...@web.de>
wrote:
query string that could be exploited in injection code. I find it hard to
believe that the Oracle API for your programming language does not offer
something like PHP does for MySQL with mysql_real_escape_string().
I do an escape and then urlencode, and the server is internal for us,
out the
internet and without critical data.
And that you are apparently unable to spell the English pronoun `I' properly.
Ahm yes, I know I know.... sorry :P
There is no variable required anyway, you can use the RegExp literal as
argument as it is:
Was required, I just didn't told, I would like to have different var
for
differente use, like just char, just number, just specialchar :)
It is possible: /[\u0000-\uffff]/g
Gh you solved my problem, your reply is really appreciated, I have
wrong
from the beginning searching a "paste speacial" instead of thinking
about
a blur and function that use a more right regexp.
So it would only be probable that your encoded
string contains characters that are interpreted as control characters like
newline in eval()
That was the problem with javascript, but some unicode chars are
however disliked.
escape your storing query string instead.
Yes I'll do, but however I need to show at the users what they are
writing into
the form and what will be deleted.

Thank you again
Jun 27 '08 #6

P: n/a
Flyzone wrote:
On 22 Apr, 22:25, Thomas 'PointedEars' Lahn <PointedE...@web.de>
wrote:
>query string that could be exploited in injection code. I find it hard to
believe that the Oracle API for your programming language does not offer
something like PHP does for MySQL with mysql_real_escape_string().

I do an escape and then urlencode, and the server is internal for us,
out the internet and without critical data.
Nevertheless, the approach of escaping everything obviously requires a
greater database and less efficient storage and retrieval methods than
necessary.
>So it would only be probable that your encoded
string contains characters that are interpreted as control characters like
newline in eval()

That was the problem with javascript, but some unicode chars are
however disliked.
Since Usenet works in both directions, it would be appropriate if you named
those characters so that others here can benefit from that knowledge.
>escape your storing query string instead.

Yes I'll do, but however I need to show at the users what they are
writing into the form and what will be deleted.
I don't follow.
PointedEars
--
Anyone who slaps a 'this page is best viewed with Browser X' label on
a Web page appears to be yearning for the bad old days, before the Web,
when you had very little chance of reading a document written on another
computer, another word processor, or another network. -- Tim Berners-Lee
Jun 27 '08 #7

This discussion thread is closed

Replies have been disabled for this discussion.