How can i deactivate paste in a rich text edit box ?

About: Usenet: comp.lang.javascript

What i really want it to do is to strip all HTML just from the paste input.  It whould function just exactly like the box here at Google Groups.  I want just what you get if you select all on a web page and go to to word pad and paste.

Seth Russell wrote:

> Not really, you can't write HTML (in my version)

right.  You're sending the user a program - a javascript program - and saying, "please run this and send me the results."  Then when you get the results, you just assume that they are correct?  Why? Because the user was nice and ran your javascript program?

See, the thing is, a person can create their own little web page with a form in it that submits to *your* page.  Do you understand? The kind of person that you're worried about, the kind of person who'd cut and paste HTML, is certainly the kind of person who is technically capable of this simple task.

You *have* to check the input.  You have to.  It's not optional. It's not a nice thing that you'll do later, after you get the rest of the application working.  You have to do it now.  Checking the input is more important that the user interface.  It's more important than that rich-text edit box.  Whatever it is that you're developing, it will NEVER be secure until you check and correct the input.

I'm sorry, but this is web programming 101.  It's really something that you need to understand before you even get started.

Thanks, Christopher, I needed that ...

Wow ! looks like im getting exactly what i wanted

More wisdom from Mr Nielsen ...

The idea was to remove bad HTML from the input, which means that it never gets any further.

I have now checked the site, and can see that more formatting is
allowed than what my script would let through. The colors are set
using spans with style attributes, so that should be allowed too ... (yeah my wiki references us that) and then you can't throw away all attributes, or even all style attributes, so a more precise filtering is needed.

What you need to remove is then, at least:
Scripts:
 * all script elements.
 * all intrinsic event handlers (any attribute starting with "on" should do)
 * all script urls (any url starting with a protocol not http or ftp, both in links and image elements, and in style attributes)
 * any iframe or object element (could embed another page with scripts).
Malicious HTML:
 * any opening or closing comment
 * any closing tag not matching an opening tag (throw in a </table> and see :).
 * any starting tag not closed (especially those with CDATA content,
    i.e., script, style and textarea)

With those gone, I'm fairly sure there is no scripting left, and the HTML can be contained in its div (adding </table> or </div> could otherwise  mess up the layout).

I have done some testing (as anonymous user aaaaej) which messes things up quite badly (I think I deleted them now, or maybe the Wizzard did :).

/L
--
Lasse Reichstein Nielsen  -  l...@hotpop.com
 DHTML Death Colors: <URL:http://www.infimum.dk/HTML/rasterTriangleDOM.html>
  'Faith without judgement merely degrades the spirit divine.'

.... thanks, Lasse

Tags

  1. rte
  2. rte paste
  3. bug
  4. comment

Comments


Mark de LA says
Kewl! volunteer QA

Seth says
looks like  Lasse Reichstein Nielsen was testing in group aaaaej

Seth says
oh, you'll need to sign on to that group (it's open) to see his mischief

Seth says
yes, definitely, kewl. Did u sign non to his anonymous group and see the damage? It is quite dramatic.

Mark de LA says
I thought the orange was a nice touch!

Seth says
yo

Seth says
seth 2006-02-08 10:30:02 1126
yo
i was able to post this comment from this google cache

See Also

  1. Thought Now have ability to style individual thoughts with CSS style sheets with 66 viewings related by tag "rte".
  2. Thought We can enter unicode into fastblogit ! with 30 viewings related by tag "bug".
  3. Thought Fixing the "unfixable" bugs in CKEditor with 5 viewings related by tag "rte".
  4. Thought The CSS font-size statement does not work on the MacAir in Chrome with 4 viewings related by tag "bug".
  5. Thought about: Writely - The Web Word Processor with 3 viewings related by tag "rte".
  6. Thought Invisible characters found in editor output. with 2 viewings related by tag "rte".
  7. Thought test of tags with blank in front of word with 2 viewings related by tag "bug".
  8. Thought Local Fitnesse Wiki with 2 viewings related by tag "bug".
  9. Thought rte symbols used on gmail with 1 viewings related by tag "rte".
  10. Thought Who are the Racists Here? with 1 viewings related by tag "bug".
  11. Thought A Gremlin on your items ? with 1 viewings related by tag "bug".
  12. Thought about: Micro Persuasion: Blog Directly from Firefox with 0 viewings related by tag "rte".
  13. Thought Please report grammar problems with references on this link with 0 viewings related by tag "bug".
  14. Thought Reference validation has holes in it with 0 viewings related by tag "bug".
  15. Thought Please FIx with 0 viewings related by tag "bug".
  16. Thought [title (785)] with 0 viewings related by tag "bug".
  17. Thought Is this a bug? with 0 viewings related by tag "bug".
  18. Thought Are all the tags in FastBlogIt in the taglist on the left of the display? with 0 viewings related by tag "bug".
  19. Thought collecting facts for feeds best practices manual with 0 viewings related by tag "bug".
  20. Thought Announcement: [google x] as a wiki reference with 0 viewings related by tag "bug".
  21. Thought How come Winnies does not have one of these? with 0 viewings related by tag "rte".
  22. Thought dynamic cartoons with 0 viewings related by tag "bug".
  23. Thought RTE nastiness with 0 viewings related by tag "rte".
  24. Thought rte for item needs convenient exit for consistency with 0 viewings related by tag "rte".
  25. Thought Difficult project of correlating inserted in-line styles in RTE and then removing all styles and scripts with 0 viewings related by tag "rte".
  26. Thought Ok ... so we can do rich text editing ... with 0 viewings related by tag "rte".
  27. Thought this is what we are trying to prtect the rte box against with 0 viewings related by tag "rte".
  28. Thought test with 0 viewings related by tag "rte".
  29. Thought Does Color Work ? with 0 viewings related by tag "rte".
  30. Thought bad url removes RTE contents with 0 viewings related by tag "bug".
  31. Thought Test image with 0 viewings related by tag "rte".
  32. Thought Square brackets and rte with 0 viewings related by tag "rte".
  33. Thought we have two variations of permalink uri floating around with 0 viewings related by tag "bug".
  34. Thought about: Better Living Through Software - Who's the Master? with 0 viewings related by tag "bug".
  35. Thought rte (rich text editor) package deployed by fastblogit.com with 0 viewings related by tag "rte".
  36. Thought test with 0 viewings related by tag "rte".
  37. Thought Test - I lost bold comments on a specific [item 1460] with 0 viewings related by tag "bug".
  38. Thought Advanced RTE doesn't seem to have sound with 0 viewings related by tag "rte".
  39. Thought right mouse click menu should have a paste option for the RTE with 0 viewings related by tag "rte".
  40. Thought Test of the Opera Browser with 0 viewings related by tag "rte".
  41. Thought I declare victory over RTE !!!!!!! with 0 viewings related by tag "rte".
  42. Thought RTE Matrix with 0 viewings related by tag "rte".
  43. Thought long words trash the screen with 0 viewings related by tag "bug".
  44. Thought test with 0 viewings related by tag "bug".
  45. Thought header pictures are broken in group tag rooms with 0 viewings related by tag "bug".
  46. Thought tagindex with 0 viewings related by tag "bug".
  47. Thought Pasting Google in blogspot 's RTE box with 0 viewings related by tag "rte".
  48. Thought is tag navigation working better now ? with 0 viewings related by tag "bug".
  49. Thought Author has been lost from headers - IDENTITY crisis with 0 viewings related by tag "bug".
  50. Thought another rte with 0 viewings related by tag "rte".