Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 2 of 2
  1. #1
    Regular Coder
    Join Date
    Oct 2009
    Posts
    434
    Thanks
    7
    Thanked 3 Times in 3 Posts

    how to store javascript in DB, so it does not execute when 'code' is later displayed

    I have just found a bug in my code that allows members to add in some javascript to their profiles and this is being executed when their profiles are being viewed by other members.

    after doing a simple test like so myself, i see that the JS is being stored so it functions normally when viewed.

    Code:
    <script language='JavaScript'>
    alert('hello');
    </script>

    How do I stop the JS from running but instead allow it to show as text instead. the profile field they fill out should not have JS at all, but only just came to light that this problem exists!

    Any help on this would be much appreciated.

  • #2
    Supreme Master coder! abduraooft's Avatar
    Join Date
    Mar 2007
    Location
    N/A
    Posts
    14,853
    Thanks
    160
    Thanked 2,223 Times in 2,210 Posts
    Blog Entries
    1
    Always pass all the values entered by users through function htmlentities() before echoing on your site. Or use strip_tags() to remove all html tags in it.
    The Dream is not what you see in sleep; Dream is the thing which doesn't let you sleep. --(Dr. APJ. Abdul Kalam)


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •