How to disable site from recognizing HTML in comments from

Forum Moderators: open

Message Too Old, No Replies

How to disable site from recognizing HTML in comments from

apn85

4:32 pm on Oct 12, 2007 (gmt 0)

Here's my site: <url removed>

Basically some guy figured out that you can post HTML into the comment box and it will render as part of the web site. Needless to say, he completely destroyed my site and I had to temporarily take it off line.

Can anyone tell me how to disable the site from reading HTML posted in the comment box?

thanks!

[edited by: encyclo at 5:51 pm (utc) on Oct. 12, 2007]
[edit reason] no URLs thanks [/edit]

Demaestro

4:50 pm on Oct 12, 2007 (gmt 0)

apn you can't post links to your site.

What you need to do is either parse out any HTML when it is written to what ever data stare you are using or you can pass the comment to a string in javascript that gets inserted into a tag and it will render the HTML tags as plain text.

Oh and welcome to WebmasterWorld

[edited by: Demaestro at 4:51 pm (utc) on Oct. 12, 2007]

penders

4:53 pm on Oct 12, 2007 (gmt 0)

This is ideally done server-side (PHP)... when you process the submitted form data, apply the PHP strip_tags() [uk.php.net] function.

apn85

6:35 pm on Oct 12, 2007 (gmt 0)

Thanks for the help guys, I was trying to see if there was a way to do it myself, but it seems too hard.

Sorry for posting the link, I went on a radio show to promote my site and one guy basically came on and destroyed the whole thing by posting html code into the comment box.