The thing is i have an webbsite there i have also build an admin system. The admins can post news, voting pools and more applications. But at the same time, when they write for example a new news event, they can write scripts in the textareas and they will be shown up for the guest visiting my site.

How can i make so admins can only post texts and single script codes (like editing text color, fat style and so on). But not so they can write a whole script that can effect the guests... for example to link them to another webbsite automactly.

Sorry for my english. Will be thankfull for help. ;)

Do it like this forum does.

People must use only a *FEW* tags in their posts, such a [ b ] and [ i ].

All <...> tags are converted to non-tags (by converting < to &lt; )

And then only those *few* tags you allow are converted. [ b ] is converted to < b >.

I put spaces in the tags so they would not be seen as tags, of course.

This is all very easy to do with JavaScript's String.replace() functionality.

Do it like this forum does.

People must use only a *FEW* tags in their posts, such a [ b ] and [ i ].

All <...> tags are converted to non-tags (by converting < to &lt; )

And then only those *few* tags you allow are converted. [ b ] is converted to < b >.

I put spaces in the tags so they would not be seen as tags, of course.

This is all very easy to do with JavaScript's String.replace() functionality.

I used this tag i found at w3school and i dont know how many hours i spend but it didn't work. I put the code in head tag and then tried in body tag, but either i didnt work.

<script type="text/javascript">
document.write(str.replace(/</gi, "&lt;"));
</script>

I want all text that is written in text fields/areas are getting converted when it posts up. So if someone want to write "Hey my name is <b>bla bla</b>" i want the < tag to not take any action.

Please help!!! :confused::confused::confused:

And what happens if the user disables JavaScript?

Or what happens if some sppofer hits your site not even using a browser?

You *NEED* to do the replacement ON THE SERVER, in your ASP code.

In any case, your JS code won't work as you coded it, at all.

One of the problems of browser security settings is they tend to be all-or-nothing choices: either enable or disable Javascript, Java, popups, etc. However, tools like Javascript are used for legitimate purposes on millions of sites. So, what do you do if you want to make absolutely sure to avoid potential Javascript exploits, but also use sites that depend on it for functionality? In Firefox, you can install the NoScript extension, which lets you selectively enable and disable Javascript, so that you can keep it on when using sites you trust, but turn it off when browsing to new sites. You can also temporarily enable it when you get to a site you're not sure about