Prevent quotes in form text area

Cues Plus wrote:

Hello,

I have a simple form text area for people to add comments in. The problem is
that using the standard
<TEXT AREA NAME="comments" ROWS=4 COLS=35></TEXT AREA>

Allows people to put in quotes like: Please ensure "bob" is listed as the
first name not "bobby".

When that happens, the next processing of the text area input is submitted
as another variable. In the example above the first set of quotes in front
of bob then end the variable.

What I need is a way to either strip the quotes or prevent them from being
input in the first place.

Any ideas?

Thank you,

Michael

The value of the textarea could possibly contain new line characters as well,
which can lead to things like:

var s = "This is line 1 of the textarea and
this is line two of the text area";

So store the textarea in it's entirety, then when putting it back into a
variable, escape double-quotation marks and turn new lines and returns into \n
and \r:

s = <outputOfTheTextarea>.replace(/\x22/g, '\\"').replace(/\n/,
'\\n').replace(/\r/, '\\r');

--
| Grant Wagner <gw*****@agricoreunited.com>

* Client-side Javascript and Netscape 4 DOM Reference available at:
*
http://devedge.netscape.com/library/...ce/frames.html

* Internet Explorer DOM Reference available at:
*
http://msdn.microsoft.com/workshop/a...ence_entry.asp

* Netscape 6/7 DOM Reference available at:
* http://www.mozilla.org/docs/dom/domref/
* Tips for upgrading JavaScript for Netscape 7 / Mozilla
* http://www.mozilla.org/docs/web-deve...upgrade_2.html

Cues Plus said:

Hello,

I have a simple form text area for people to add comments in. The problem is
that using the standard
<TEXT AREA NAME="comments" ROWS=4 COLS=35></TEXT AREA>

Allows people to put in quotes like: Please ensure "bob" is listed as the
first name not "bobby".

When that happens, the next processing of the text area input is submitted
as another variable. In the example above the first set of quotes in front
of bob then end the variable.

What I need is a way to either strip the quotes or prevent them from being
input in the first place.

You must never rely on client-side code to ensure that form
input is valid. You don't know that your customer even has
JavaScript enabled.

What you really need to do is to fix your CGI script so that
it handles the input correctly.

Cues Plus a ecrit :

Hello,

I have a simple form text area for people to add comments in. The problem is
that using the standard
<TEXT AREA NAME="comments" ROWS=4 COLS=35></TEXT AREA>

Allows people to put in quotes like: Please ensure "bob" is listed as the
first name not "bobby".

What I need is a way to either strip the quotes or prevent them from being
input in the first place.

Try :

<textarea onchange="this.value=this.value.replace('"','|');"
or
<textarea onchange="this.value=this.value.replace('\"','\|') ;"

I understand that completely... The problem is not really with the CGI
script because it is designed to spit out exactly what was put in. The
problem lies with the form the CGI script feeds. (I could fix the CGI if I
had access to it though).

The problem is mostly cosmetic without JavaScript enabled anyway... With out
it (and if someone used quotes) the output on the screen would look like:

">

But if I could get the quotes stripped out it would just show a blank line
like it is supposed to.

Thanks for the input but so far I'm not able to use any suggestions
successfully.

Michael
--
http://www.cuesplus.com
http://www.cuesplusbilliards.com
http://www.stixplus.com
(remove SPAMBLOCK if replying by e-mail)
"Lee" <RE**************@cox.net> wrote in message
news:br*********@drn.newsguy.com...

You must never rely on client-side code to ensure that form
input is valid. You don't know that your customer even has
JavaScript enabled.

What you really need to do is to fix your CGI script so that
it handles the input correctly.

"Cues Plus" <sa***@SPAMBLOCKcuesplus.com> writes:

I understand that completely... The problem is not really with the CGI
script because it is designed to spit out exactly what was put in.

That *is* a problem. Simply spitting out what comes in, will not
generate valid HTML. The output of the CGI-script is used as HTML,
so it should be HTML.

/L
--
Lasse Reichstein Nielsen - lr*@hotpop.com
DHTML Death Colors: <URL:http://www.infimum.dk/HTML/rasterTriangleDOM.html>
'Faith without judgement merely degrades the spirit divine.'

Cues Plus said:

I understand that completely... The problem is not really with the CGI
script because it is designed to spit out exactly what was put in.

That's exactly the problem with the script.
It should have more intelligence.

Irrelevant to the discussion though. Which is: how to prevent people from
putting in quotes in a textarea of a form or to convert the quotes to
something else.

Michael

--

(remove SPAMBLOCK if replying by e-mail)
"Lee" <RE**************@cox.net> wrote in message
news:bs********@drn.newsguy.com...

Cues Plus said:

I understand that completely... The problem is not really with the CGI
script because it is designed to spit out exactly what was put in.

That's exactly the problem with the script.
It should have more intelligence.