List Info

Thread: RE: Scrubbing user inputs (solved)
RE: Scrubbing user inputs (solved)
country flaguser name
United States		 2008-07-21 13:10:36 

  


  

    





Thanks to all your comments, we have a
solution.



 



The best I’ve been able to do on the
server side is remove the offending binary code, basically losing the format.



 



Using fckeditor (thanks, Dwayne) I’m

back on the client side and the initial prognosis is good. The text is
converted to nicely formatted html. As long as you’re remaining in a web
environment, it shouldn217;t really pose any problems, but if you are to
use, say Oracle Reports, to extract data from the tables and render it out as
PDF, additional work may be required. Let’s keep in mind that what
we’re asking it to do is retain formatting. I’d much rather deal
with formatting retained as HTML instead of some pile of ascii-binary-ascii
junk. 



 



At Joe B’s request I reversed the
process to see what would happen when I pasted html stored in the table back to
MSWord. The text retrieved directly from the table (figure 1), had visible html
tags. The text retrieved from the table and pasted from fckeditor back into
MSWord (figure 2) looked great.



 



 



(figure 1)




<P>this is a test of bullets<;/P>



<UL>;



<LI>;1</LI&gt;



<LI>;2</LI&gt;



<LI>;3</LI&gt;</UL&gt;



 



(figure 2)




this is a test of bullets



· &nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp; 
1




· &nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp; 
2




· &nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp;   ; &nbsp; 
3




 



 



Thanks again for all the input received.

You guys are great.



 



Monty



 



(Note to self:̷0;”why am I not
using Application Express for this?̶1;)




 



 



 
















From: ml-errorsfatcity.com
[mailto:ml-errorsfatcity.com] On Behalf Of Emberson,
Dwayne


Sent: Monday, July 21, 2008 9:21
AM


To: Multiple recipients of list
ODTUG-WEBDEV-L

Subject: RE: Scrubbing user inputs






 



Again, am unsure of
what your client is, or how you are accepting the input, but one idea is to use
the freely available fckeditor as a javascript text area input on your forms.
When you do a paste from Word to the editor, it scrubs the input, and converts
it into clean HTML, so bullets still look nice, but are now in HTML. This is a
tremendous tool for bringing very nicely formatted text into a text area. It is
also a nice in-line web editor for direct entry as well. Application Express
now has this editor built into it as one of the options for a text area.



 



Dwayne



 









From:
ml-errorsfatcity.com [mailto:ml-errorsfatcity.com] On Behalf Of Begenwald, Joe

Sent: Monday, July 21, 2008 9:01
AM


To: Multiple recipients of list
ODTUG-WEBDEV-L

Subject: RE: Scrubbing user inputs









 



Didn’;t mean to imply that it
couldn’t or shouldn217;t be done in the database.&nbsp; I agree
that’s the best approach.&nbsp; I was just saying you shouldn217;t be
“;criticized” (if that’;s even what it was) for saying you
̶0;needed221; to handle this on the client.



 
















From:
ml-errorsfatcity.com [mailto:ml-errorsfatcity.com] On Behalf Of Monty Latiolais

Sent: Friday, July 18, 2008 6:11
PM


To: Multiple recipients of list
ODTUG-WEBDEV-L

Subject: RE: Scrubbing user inputs






 



I appreciate all giving of their time to
look at this. 



 



I do have access to both client and server
side. Based on the responses I’ve received, I will “scrub” it
server-side.



 



I thought this type of validation would
normally be done client-side. That was my motivation as much as anything.



 



Have a great weekend!



 



Monty



 



 



 



 



 
















From:
ml-errorsfatcity.com [mailto:ml-errorsfatcity.com] On Behalf Of Begenwald, Joe

Sent: Friday, July 18, 2008 4:35
PM


To: Multiple recipients of list
ODTUG-WEBDEV-L

Subject: RE: Scrubbing user inputs






 



I’m just guessing here, John (and
James, too), but perhaps Monty will only have access to the client code, and
may not pe permitted to make server-side changes.&nbsp; Not ideal, I grant you,
but all too common.



 
















From:
ml-errorsfatcity.com [mailto:ml-errorsfatcity.com] On Behalf Of John Flack

Sent: Friday, July 18, 2008 12:11
PM

To: Multiple recipients of list
ODTUG-WEBDEV-L

Subject: RE: Scrubbing user inputs






 



Tell us a little
more – what errors are you getting – error code, additional information?



What is the datatype
of the parameter to your “action” procedure that processes input
from the form? ; What is the datatype of the comment column in your
table?  Why do you need to handle it client-side?



 



I have used a
“clean-up221; routine that handles this server side – it removes
white space from the beginning and end of the incoming data, changes
non-printable characters to spaces, removes extra spaces and normalizes
carriage returns and linefeeds to CRLF sequences before storing the data in the
database.



 









From:
ml-errorsfatcity.com [mailto:ml-errorsfatcity.com] On Behalf Of Monty Latiolais

Sent: Friday, July 18, 2008 11:31
AM

To: Multiple recipients of list
ODTUG-WEBDEV-L

Subject: Scrubbing user inputs









 



Hello all,




 



I’ve built a simple html form using the pl/sql web
toolkit that has a place for the user to include comments. 



It’s been in production for months if not years.



 



Recently, we’ve experienced errors related to the
content of the comments 

and I’ve traced it to users cutting and pasting content from MS Word
directly into the web form comments field.



Even that is fine except for when the user attempts to paste
in bullets.



 



I’ll have to handle this on the client-side. Any
ideas?



 



 



Regards,



 



Monty 






  

  
  
   
     
    






 [1]











   
 





about | contact  Other archives ( Real Estate discussion Medical topics )