filter html special characters and WEB URL's but allow to enter email address and feedback in to asp.net vb textbox RSS

• • Reply
  Malaka92

  None

  0 Points

  1 Post

  filter html special characters and WEB URL's but allow to enter email address and feedback in to...

  Oct 09, 2018 03:59 AM|Malaka92|LINK

  filter any websites URLs and special html characters but allow to enter email address and user comments through textbox. textbox is use to gather user feedback. could you please help me with this ?

• • Reply
  Ackerly Xu

  Contributor

  3500 Points

  1300 Posts

  Re: filter html special characters and WEB URL's but allow to enter email address and feedback in...

  Oct 10, 2018 03:25 AM|Ackerly Xu|LINK

  Hi Malaka92,

  It seems that you want to prevent xss attack.

  If so , you could use build-in js function to help you encode the html text.

  Below is my code. Please pay attention that the code can't remove website like helloworld.com because it may be part of mail address  gmail@helloworld.com.

  If you only want to prevent xss , you could leave the website and remove  code= code.replace(/(http\:\/\/|https\:\/\/)([a-z0-9][a-z0-9\-]*\.)+[a-z0-9][a-z0-9\-]*/g,'')

    <form id="form1" runat="server">
          <asp:TextBox ID="TextBox1" runat="server" TextMode="MultiLine" Width="200px" Height="200px" Text="<a href='www.helloword.com'></a><script>alert('hello')  <script> some@gmail.com   http://localhost.com" >
  
  
          </asp:TextBox>
  
      </form>
      <script src="../Scripts/jquery-3.3.1.js"></script>
      <script>
  
          function htmlEncode (html){
          
            var temp = document.createElement ("div");
    //handling browser compatibility
            (temp.textContent != undefined ) ? (temp.textContent = html) : (temp.innerText = html);
               // use innerHTML to get encoded html content
            var output = temp.innerHTML;
           temp = null;
           return output;
          }
  
  
          $("#TextBox1").blur(
              function () {
                  var code = htmlEncode($(this).val());
  // use regex to remove all the website
                code= code.replace(/(http\:\/\/|https\:\/\/)([a-z0-9][a-z0-9\-]*\.)+[a-z0-9][a-z0-9\-]*/g,'')
                      
                  $(this).val(code);
              }
          )
      </script>

  And the  content of the textbox  after the textbox is blur.

  <a href='www.helloword.com'></a><script>alert('hello') <script> some@gmail.com

  Best regards,

  Ackerly Xu

  MSDN Community Support
  Please remember to click "Mark as Answer" the responses that resolved your issue.
  If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.