The site I'm working on allows users to submit some html during a form submission. That html is then displayed in a template page of mine. Problem is when people do not submit valid html, it can sometimes throw the look of my site (for example the introduce a <div> but dont close it). My quick solution was to create an iframe, that fits seamlessly into my template, and have the users data displayed in it.

Using the iframe brings up a bunch of other stuff that I do not like, so was wondering if anyone else has run into this problem, and how did they get around it?

I'm using fckEditor for the user input, so thats how some html gets into the post. I know I could completely disallow html, but trying to avoid that. Also was thinking I could use some html DTD to validate the html, but I am not sure how to fix up the html if I find a problem.

thx

3/3/2008 7:37:56 PM

The alternative? You have to parse their submission for tags that open and look for a tag that closes, if there isn't one, add the appropriate closing tag. In other words, you're thinking for them. Most bulletin board systems have this built in nowadays if you wanted to look at how they did it and modify it for your site.

3/3/2008 7:41:45 PM

I think I found out what was wrong. fckeditor does the tag completion - my database table was just not setup to hold the large amount of data that was submitted, so it got cut off before the </div> close.

[Edited on March 3, 2008 at 7:52 PM. Reason : not]

3/3/2008 7:52:06 PM

Watch out for xss

3/3/2008 8:22:11 PM

xslt FTL

3/3/2008 8:27:23 PM

possible security hole. cross server scripting attack GO!

3/3/2008 8:32:04 PM

update: I'm gonna use html tidy along with some sanitation classes my framework provides to scrub the user posted data.

my app is php based, and php interfaces nicely with html tidy - for anyone interested: http://us.php.net/manual/en/ref.tidy.php.

[Edited on March 5, 2008 at 4:49 PM. Reason : phptidy]

3/5/2008 4:47:56 PM

you got a . at the end of the link
http://us.php.net/manual/en/ref.tidy.php

3/5/2008 4:51:19 PM

^thx. 1 more thing that was not straightforward. I use ubuntu server. Doing google search to find out how to install tidy for php5 on ubuntu gives misleading results. ubuntu 7.10 has a php5-tidy package. all you have to do is install that pkg and restart apache. hope this helps someone.

3/5/2008 5:16:04 PM