This is an extension of a previous question I asked. I ran into some additional issues.
I am loading a form with dynamic textarea boxes. Don't ask why, but I need to populate these fields using JavaScript (has to deal with AJAX stuff, etc). To simplify things, let's just say my textarea has a name of "myTextarea" and I want to populate with a request parameter "myRequestParam". So I'd want to do something like:
updateTextareaText("myTextarea", "${myRequestParameter}");
From my previous question, I've found that this solves some issues:
updateTextareaText("myTextarea", unescape('<c:out value="${myRequestParam}" />'));
I have tried a number of different implementations for updateTextareaText, but nothing seems to work. I need to handle both newlines and special characters.
Try #1
function updateTextareaText(textareaElementName, newText) {
var textareaBox = document.getElementsByName(textareaElementName)[0];
textareaBox.innerHTML = newText;
}
Try #2
function updateTextareaText(textareaElementName, newText) {
var textareaBox = document.getElementsByName(textareaElementName)[0];
textareaBox.value = newText;
}
Try #3
function updateTextareaText(textareaElementName, newText) {
var textareaBox = document.getElementsByName(textareaElementName)[0];
var existingNodes = textareaBox.childNodes;
if (existingNodes.length > 0) {
textareaBox.removeChild(existingNodes[0]);
}
var newTextNode = document.createTextNode(newText);
textareaBox.appendChild(newTextNode);
}
All of the above loose newlines and/or displays some special characters as their escaped values. I've been using the following myRequestParam value for testing:
Test
Newline and Special `~!##$%^&*()_+-={}|[]\:";'<>?,./
Does anyone know the correct way to handle all of the different cases? As a side note, the myRequestParam values are populated from the DB and are returning newlines as \r\n which I have been escaping as %0A, but I am not sure if that's what I should be doing. The JavaScript originally wouldn't handle the \r\n (it would complain about unterminated strings, etc).
See another question that I submitted. The trick was to remove the escaping from the backside and the whole escape and <c:out> stuff and instead use an EL function that utilizes StringEscapeUtils.escapeJavaScript.
Try jQuery:
$('#textAreaId').val('MyValue');
or
$('#textAreaId').html('MyValue');
Guess it would do the trick.
In a limited and local try it worked for me with your #2 function (only tried that one).
header: <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
javascript: updateTextareaText("txtarea", "Test\n\nNewline and Special `\~!##$%\^\&*()_+-={}|[]\:\";'<>?,.//\näöüÄÖÜß");
So the String you get is probably not escaped (\', \&, etc.), in which case Apache's StringEscapeUtils in Commons Langs helps ( http://commons.apache.org/lang/api-2.5/org/apache/commons/lang/StringEscapeUtils.html#escapeJavaScript%28java.lang.String%29 ).
Other than that, you would have to do a conversion for this javascript case by replacing ' with \' and so on... not pretty.
Related
I'm currently having an issue with a code. In my code, I've got a textarea where the user can enter the title of an article and I would like this article to be only in one row. That's why I wrote a script to prevent users to press the return key. But they could bypass this security, indeed if they copy/past the line break they could enter a line break. So, is there a way to detect line break ? I suppose we can do this with regular expressions and with \n or \n. However I tried this:
var enteredText = $('textarea[name="titleIdea"]').val();
var match = /\r|\n/.exec(enteredText);
if (match) {
alert('working');
}
and it doesn't work for an unknown reason. I think the var enteredText = $('textarea[name="titleIdea"]').val(); doesn't work because when I try to alert() it, it shows nothing. But something strange is that when I do an alert on $('textarea[name="titleIdea"]').val(); and not on the enteredText variable it shows the content.
Have a great day. (sorry for mistakes, I'm french)
if they copy/past the line break they could enter a line break
That's why you shouldn't even worry about preventing them from entering it - just don't save it. Remove it on the blur and input events if you really want to, but the only time it actually matters is before you save it to the database (or whatever you are using).
$('textarea[name="titleIdea"]').on('blur input', function() {
$(this).val($(this).val().replace(/(\r\n|\n|\r)/gm,""));
});
And, as other people have already mentioned, if they can't do line breaks, you shouldn't be using a textarea.
I assume your problem is with the paste event.
If i guessed this is my snippet:
$(function () {
$('textarea[name="titleIdea"]').on('paste', function(e) {
var data;
if (window.clipboardData) { // for IE
data = window.clipboardData.getData('Text');
} else {
data = e.originalEvent.clipboardData.getData('Text');
}
var match = /\r|\n/.exec(data);
if (match) {
alert('working');
console.log(data);
}
})
});
<script src="https://code.jquery.com/jquery-1.12.4.min.js"></script>
<textarea name="titleIdea">
</textarea>
This needs to be handled in the backend. Even if you use the recommended appropriate HTML input type of text (instead of textarea), you still do not remove the possibility of return chars getting saved.
The two other answers use Javascript - which technically is the domain of this question. However, this can not be solved with Javascript! This assumes that the input will always come from the form you created with the JS function working perfectly.
The only way to avoid specific characters being inserted into your database is to parse and clean the data in the backend language prior to inserting into your database.
For example, if you are using PHP, you could run a similar regex that stripped out the \n\r chars before it went into processing.
Javascript only helps the UX in this case (the user sees what they will be saving). But the only way to ensure you have data integrity is to validate it on the server side.
I've been going through and trying to find an answer to this question that fits my need but either I'm too noob to make other use cases work, or their not specific enough for my case.
Basically I want to use javascript/jQuery to replace any and all ampersands (&) on a web page that may occur in a links href with just the word "and". I've tried a couple different versions of this with no luck
var link = $("a").attr('href');
link.replace(/&/g, "and");
Thank you
Your current code replaces the text of the element within the jQuery object, but does not update the element(s) in the DOM.
You can instead achieve what you need by providing a function to attr() which will be executed against all elements in the matched set. Try this:
$("a").attr('href', function(i, value) {
return value.replace(/&/g, "and");
});
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
link
link
Sometimes when replacing &, I've found that even though I replaced &, I still have amp;. There is a fix to this:
var newUrl = "#Model.UrlToRedirect".replace(/&/gi, '%').replace(/%amp;/gi, '&');
With this solution you replace & twice and it will work. In my particular problem in an MVC app, window.location.href = #Model.UrlToRedirect, the url was already partially encoded and had a query string. I tried encoding/decoding, using Uri as the C# class, escape(), everything before coming up with this solution. The problem with using my above logic is other things could blow up the query string later. One solution is to put a hidden field or input on the form like this:
<input type="hidden" value="#Model.UrlToRedirect" id="url-redirect" />
then in your javascript:
window.location.href = document.getElementById("url-redirect").value;
in this way, javascript won't take the c# string and change it.
I am new in python and I want to filter html tags by using regex. I used the function as below:
def filter_tags(htmlstr):
re_cdata=re.compile('//<!\[CDATA\[.*//\]\]>',re.DOTALL)
re_script=re.compile('<\s*script[^>]*>[^<]*<\s*/\s*script\s*>',re.DOTALL)#Script
re_style=re.compile('<\s*style[^>]*>[^<]*<\s*/\s*style\s*>',re.I)#style
re_br=re.compile('<br\s*?/?>')
re_h=re.compile('</?\w+[^>]*>')
re_function = re.compile('')
re_comment=re.compile('<!--[^>]*-->')
s=re_cdata.sub('',htmlstr)
s=re_script.sub('',s)
s=re_style.sub('',s)
s=re_br.sub('',s)
s=re_h.sub('',s)
s=re_comment.sub('',s)
s = re.sub('\\t','',s)
s = re.sub(' ','',s)
return s
Most tags and codes can be removed except some js functions, and I got some trouble like this:
(function(){
NTES.ajax.importJs('http://news.163.com/special/hot_tags_recommend_data/',function(){
varname1,name2,len1,len2,width1,width2,left2;
varloveData=['拎婚房待嫁北京爷们','请网友鉴定是否美女'];
if(hotTagsData.count&&hotTagsData.count>0){
varcode='#from=article',
html=[],
item={name:'',url:''};
for(vari=0;i<hotTagsData.data.length&&i<4;i++){
item=hotTagsData.data[i];
html.push(''+item.name+'');
if(i==1){name1=item.name;}
if(i==2){name2=item.name;}
}
html.push(loveData[0]);
html.push(loveData[1]);
NTES('#js-extraTagList').innerHTML=html.join('');
len1=name1.replace(/[^\x00-\xff]/gi,"aa").length;
len2=name2.replace(/[^\x00-\xff]/gi,"aa").length;
width1=Math.floor((len1/(len1+len2))*271);
width2=271-width1;
left2=96+width1+19;
NTES('.extra-tag-1').addCss('width:'+width1+'px');
NTES('.extra-tag-2').addCss('width:'+width2+'px;left:'+left2+'px;');
}
},'gbk');
})();
As you can see, there are many founctions like this.So how can I remove these by using regex? thanks a lot.
Your regular expression: <\s*script[^>]*>[^<]*<\s*/\s*script\s*> should not have the [^<]*. You should reserve that just for matching tags themselves. Instead you should use the non-greedy *, usually syntactically denoted as: *? so it would look like <\s*script[^>]*>.*?<\s*/\s*script\s*>. You should change this where ever you made that, including the style tags and comment regex.
This should take care of the majority of cases. However it still does not protect you from tags that have a string in it with '</script>', although that should be rare. Such cases are most likely far and few between and if such a case arises you can strip it out manually.
I have solved this problem by DataHerder's answer.when I change my regular expression as the way he says.Most of the code can be removed, but only a little js code not.so I watched the raw html code, and found that the js code which is not removed looks like this:
<SCRIPT LANGUAGE="JavaScript">
var cpm_rdm=Math.random();
</SCRIPT>
<!--五分之一视窗 020903-->
<SCRIPT type="text/javascript">
adInfoTempSc =
{
src:"http://img2.126.net/ntesrich/2015/0922/1442887187409_89q7.swf",
url:"http://g.163.com/a?CID=37873&Values=1760993544&Redirect=http://e.cn.miaozhen.com/r/k=2012070&p=6we7m&ro=sm&dx=0&rt=2&ns=__IP__&ni=__IESID__&v=__LOC__&nd=__DRA__&np=__POS__&nn=__APP__&o=http://cars.fxauto.com.cn/s500/003/",
key:"8531446021442887975191892"
}
if(cpm_rdm>0.6&&cpm_rdm<0.8){
document.write('<scr'+'ipt type="text/javascript" src="http://img2.126.net/ntesrich/2015/0901/scbox-2015.09.01.js"></scr'+'ipt>');
}
</SCRIPT>
I thought the reson that the code can't be removed is this is written by upper case, just like this:<SCRIPT LANGUAGE="JavaScript">. So I add a little to my regular expression.Now I can filter all the tags and codes.thanks again.
The regex now :
re_cdata=re.compile('//<!\[CDATA\[.*//\]\]>',re.DOTALL)
re_script=re.compile('<\s*script[^>]*>.*?<\s*/\s*script\s*>',re.DOTALL|re.I)
re_style=re.compile('<\s*style[^>]*>.*?<\s*/\s*style\s*>',re.DOTALL|re.I)
re_br=re.compile('<br\s*?/?>')
re_h=re.compile('</?\w+.*?>',re.DOTALL)
re_comment=re.compile('<!--.*?-->',re.DOTALL)
re.I is used to match uppercase
I know this has been talked here, but no solutions were offer to the exact problem. Please, take a look...
I'm using a function to transform plain-text URLs into clickable links. This is what I have:
<script type='text/javascript' language='javascript'>
window.onload = autolink;
function autolink(text) {
var exp = /(\b(https?|ftp):\/\/[-A-Z0-9+&##\/%?=~_|!:,.;]*[-A-Z0-9+&##\/%=~_|])/gim;
document.body.innerHTML = document.body.innerHTML.replace(exp,"<a href='$1'>$1</a>");
}
</script>
This makes
https://stackoverflow.com/
Looks like:
https://stackoverflow.com/
It works, but also replace the existent HTML links with nested links.
So, a valid HTML link like
StackOverflow
Becomes something messy like:
StackOverflow">StackOverflow</a>...
How can I fix the expression to ignore the content of link tags? Thanks!
I'm a newbie... I barely understand the regex code. Please be gentle :) Thanks again.
Using the jQuery JavaScript library, this would look like (demo at http://jsfiddle.net/BRPRH/4):
function autolink() {
var exp = /(\b(https?|ftp):\/\/[-A-Z0-9+\u0026##\/%?=~_|!:,.;]*[-A-Z0-9+\u0026##\/%=~_|])/gi,
lt = '\u003c',
gt = '\u003e';
$('*:not(a, script, style, textarea)').contents().each(function() {
if (this.nodeType == Node.TEXT_NODE) {
var textNode = $(this);
var span = $(lt + 'span/' + gt).text(this.nodeValue);
span.html(span.html().replace(exp, lt + 'a href=\'$1\'' + gt + '$1' + lt + '/a' + gt));
textNode.replaceWith(span);
}
});
}
$(autolink);
Edit: Excluded textareas, scripts, and embedded CSS. I note that this can also be done using pure DOM's splitText, which has the advantage of not adding extra span elements.
Edit 2: Eliminated all ampersands and double quotes.
Edit 3: Got rid of < and > characters as well.
This problem is beyond the power of regular expressions. You might be able to write a regex that could avoid some links, but you wouldn't be able to avoid every existing link.
The good news is that a different approach will make the job much easier. Right now you using document.body.innerHTML to manipulate the HTML as plain text. To do it correctly that way, you will basically need to parse the HTML yourself. But you don't have to, because the browser has already parsed it for you!
The web browser allows you to access an HTML document as a series of object. It's called the Document Object Model (DOM) and if you do some reading on that, you should be able to learn how to traverse through the HTML, skipping over anything inside an A element, and using the regex you have on plain text only.
I have the following
var id='123';
newDiv.innerHTML = "";
Which renders in my HTML.
The problem I have is that I wish to take the call to the method TestFunction, and use as a string parameter in my function StepTwo(string, boolean), which would ideally end up in live HTML as shown...
notice how the TestFunction is a string here (it is executed within StepTwo using eval).
I have tried to format my JS as by :
newDiv.innerHTML = "";
but while this appears to me correct in my IDE, in the rendered HTML, it as garbelled beyond belief.
Would appreciate if anyone could point me in the right direction. Thanks!
One of the biggest capital failures on the internet is creating html in javascript by gluing strings together.
var mya = document.createElement("a");
mya.href="#";
mya.onclick = function(){
StepTwo(function(){
TestFunction('123', false );
}, true );
};
newDiv.innerHTML = "";
newDiv.appendChild(mya);
This Eliminates the need for any fancy escaping stuff.
( I probably should do 'onclick' differently, but this should work, I'm trying hard not to just use jQuery code to do everything )
Heres how I would do it in jQuery:
jQuery(function($){
var container = $("#container");
var link = document.createElement("a"); /* faster than $("<a></a>"); */
$(link).attr("href", "Something ( or # )" );
$(link).click( function(){
var doStepTwo = function()
{
TestFunction('123', true );
};
StepTwo( doStepTwo, false ); /* StepTwo -> doStepTwo -> TestFunction() */
});
container.append(link);
});
There is no good excuse for gluing strings together in Javascript
All it does is ADD overhead of html parsing back into dom structures, and ADD potential for XSS based broken HTML. Even beloved google get this wrong in some of their advertising scripts and have caused epic failures in many cases I have seen ( and they don't want to know about it )
I don't understand Javascript is the only excuse, and it's NOT a good one.
Try using " instead of \"
newDiv.innerHTML = "<a href="#"...
You should be using " not " or \" inside an HTML string quoted with double-quotes.
NewDiv.innerHTML = "";
There's probably a better way to do this - any time you find yourself using eval() you should stand back and look for a different solution.
You claim that eval is the right thing to do here. I'm not so sure.
Have you considered this approach:
and in your StepTwo function
function StepTwo(func,args,flag){
//do what ever you do with the flag
//instead of eval use the function.apply to call the function.
func.apply(args);
}
You could create the a element and attach to the click event using DOM Methods.
A Javascript Framework (like the ubiquitous jQuery) would make this a lot easier.
Your biggest problem is using eval, it leads to so many potential problems that it's nearly always better to find an alternative solution.
Your immediate problem is that what you really have is
as the next " after the start of the onclick attribute, closes it. Use " as others have suggested. And don't use eval.
You need to alternate your " and '.
Maybe you don't need quotes around the 123, because of Javascripts flexible typing. Pass it without quotes but treat it as a string within TestFunction.
Hey guys, thanks for all the answers. I find that the quot; seems to work best.
I'll give you guys some votes up once I get more reputation!
In regards to eval(), what you see in the question is a very small snapshot of the application being developed. I understand the woes of eval, however, this is one of those one in a million situations where it's the correct choice for the situation at hand.
It would be understood better if you could see what these functions do (have given them very generic names for stackoverflow).
Thanks again!
The best way is to create the element with document.createElement, but if you're not willing to, I guess you could do or use ".
In your code:
newDiv.innerHTML = "";
If it doesn't work, try changing "\'" to "\\'".
Remember that the " character is used to open and close the attribute on HTML tags. If you use it in the attribute's value, the browser will understand it as the close char.
Example:
<input type="text" value="foo"bar"> will end up being <input type="text" value="foo">.
...
I know this is hella' old now, but if anyone has issues with escaped strings when using eval (and you absolutely have to use eval), I've got a way to avoid problems.
var html = '';
eval('(function(div, html){div.innerHTML = html;})')(newDiv, html);
So, what's going on here?
eval creates a function that contains two parameters, div and html and returns it.
The function is immediately run with the parameters to the right of the eval function. This is basically like an IIFE.
In this case
var myNewMethod = eval('(function(div, html){div.innerHTML = html;})');
is basically the same as:
var myNewMethod = function(div, html){div.innerHTML = html;}
and then we're just doing this:
myNewMethod(newDiv, html); //where html had the string containing markup
I would suggest not using eval. If it can't be avoided, or if you control all the inputs and there's no risk of injection then this will help in cases where string escapes are an issue.
I also tend to use Function, but it isn't any more secure.
Here's the snippet I use:
var feval = function(code) {
return (new Function(code))();
}