Sanitizing a string in php and javascript - javascript

How to check if the string contains any tags <>. I need to sanitize my string from xss attacks or attacks like that.
I am looking for a function which can santize my string in javascript and php.
This is what I have for java script , please let me know if this is correct ?
function parseThisString(strcode) {
var scripts = new Array();
while(strcode.indexOf("<") > -1 || strcode.indexOf("</") > -1) {
var s = strcode.indexOf("<");
var s_e = strcode.indexOf(">", s);
var e = strcode.indexOf("</", s);
var e_e = strcode.indexOf(">", e);
scripts.push(strcode.substring(s_e+1, e));
strcode = strcode.substring(0, s) + strcode.substring(e_e+1);
}
if (scripts.length > 0) { return 1; } else { return 0; }
}
Can you guys show me any solid string sanitizing function in php ? I found this answer but I didt know how to transilate this function to a single return with 0 or 1 (yes or no) .
What is the correct way to detect whether string inputs contain HTML or not?
Please help me here . Thanks.

You can escape any html tags using htmlspecialchars().
$string = htmlspecialchar($old_string);
You can remove all html tags from string using strip_tags().
$string = strip_tags($old_string);
But if you wanna know if there's html tags in the string, you can use this function, combinated with strip_tags().
function hasHTML($string) {
if ($string != strip_tags($string))
return true;
else
return false;
}

Related

How transcribe remove number custom function Excel VBA function to Google Sheets Google Script (Javascript)

I need to transcribe a VBA script to Javascript but i got stuck in the java part
The main meaning is to remove numbers from a text like "texthere 123456789"
My VBA code is:
Function RemoveNum(Txt As String) As String
With CreateObject("VBScript.RegExp")
.Global = True
.Pattern = "[0-9]"
RemoveNum = .Replace(Txt, "")
End With
End Function
My Javascript attempt was:
function RemoveNumbers(RemoveNumbers) {
var RemoveNumbers;
//var str = RemoveNumbers.toString();
var str = RemoveNumbers;
str.Value.replace(/[0-9]/g, '');
}
Or even:
function rn(remvnum) {
var str = remvnum;
var n = str.toString();
var res = n.replace(/[0-9]/gmi, '');
}
What does stop me reaching the result is, the .Replace function needs to be string content otherwise will return error of undefined value, also I can't convert toString because it returns error of undefined value.
This example bellow works well as the name of the function is written in the Google Sheet cell as a custom function, but I didn't achieve the remove number desire:
function styleHyphenFormat(propertyName) {
function upperToHyphenLower(match, offset, string) {
return (offset ? '-' : '') + match.toLowerCase();
}
return propertyName.replace(/[A-Z]/g, upperToHyphenLower);
}
Does someone knows what I did wrong?
Thanks in advance.
Try removeNumbers = removeNumbers.replace(/[0-9]/g, ''); or set a new var like noNums = removeNumbers.replace(/[0-9]/g, '');
You just need to return the replaced value:
function rn(remvnum) {
//var str = remvnum;
//var n = str.toString();
var res = remvnum.toString().replace(/[0-9]/gmi, '');
return res; //Added
}
Google sheets supports regex(re2) as a built-in function unlike excel. So, You don't need macros. Even if you want a global replace, The Find and replace menu works well with regex.
=REGEXREPLACE(A2,"\d",)
or
=ARRAYFORMULA(REGEXREPLACE(A2:A5,"\d",))
\d is digit(==[0-9])

Building JavaScript Array in C#, apostrophes changing

I have done this to build JavaScript Arrays from int, double and string lists.
public string listToJsArray<T>(List<T> cslist)
{
bool numeric = true;
if(
!(typeof(T)==typeof(int)
|| typeof(T) == typeof(string)
|| typeof(T) == typeof(double))
)
{
throw (new ArgumentException(message: "Only int, double and string are supported"));
}
if(typeof(T)==typeof(string))
{
numeric = false;
}
string JsArray = "[";
for(int i=0;i<cslist.Count;i++)
{
string dataWithSurrendings = cslist[i].ToString();
if(!numeric)
{
dataWithSurrendings = "'" + cslist[i].ToString() + "'";
}
if(i !=0)
{
dataWithSurrendings = "," + dataWithSurrendings;
}
if(i +1==cslist.Count)
{
dataWithSurrendings = dataWithSurrendings + "]";
}
JsArray += dataWithSurrendings;
}
return JsArray;
}
My problem is when a list of strings is passed, apostrophes turn into '.
for example, a list of {"1","2","3","4","5","6","7"} becomes this:
['1','2','3','4','1','6','7']
What modification is needed in this function, to return a correct array in JavaScript?
None of solutions did solve the problem. With JsonConvert I get almost same result. The problem is the single or double quote in View editor have not the same encoding as CS string.
I'm assuming that you are doing this to drop into a webpage somewhere, something like:
<script>
#{
var output = listToJsArray(Model.SomeList);
}
var myArray = #Html.Raw(output);
// some Javascript using that array
</script>
Don't waste your time trying to do it yourself. It's a pain and you are reinventing the wheel. JSON is valid Javascript and a serialization of an array into JSON is absolutely identical to a Javascript array literal. So use Javascript. JSON.Net is really useful here:
<script>
#{
var output = Newtonsoft.Json.JsonConvert.SerializeObject(Model.SomeList);
}
var myArray = #Html.Raw(output);
// some Javascript using that array
</script>
The serializer will handle all the annoying escaping, special characters and edge cases for you.

regex detect url and prepend http:// [duplicate]

This question already has answers here:
Adding http:// to all links without a protocol
(4 answers)
Closed 8 years ago.
I would like to detect url's that are entered in a text input. I have the following code which prepends http:// to the beginning of what has been entered:
var input = $(this);
var val = input.val();
if (val && !val.match(/^http([s]?):\/\/.*/)) {
input.val('http://' + val);
}
How would I go about adapting this to only append the http:// if it contains a string followed by a tld? At the moment if I enter a string for example:
Hello. This is a test
the http:// will get appended to hello, even though it's not a url. Any help would be greatly appreciated.
This simple function works for me. We don't care about the real existence of a TLD domain to gain speed, rather we check the syntax like example.com.
Sorry, I've forgotten that VBA trim() is not intrinsic function in js, so:
// Removes leading whitespaces
function LTrim(value)
{
var re = /\s*((\S+\s*)*)/;
return value.replace(re, "$1");
}
// Removes ending whitespaces
function RTrim(value)
{
var re = /((\s*\S+)*)\s*/;
return value.replace(re, "$1");
}
// Removes leading and ending whitespaces
function trim(value)
{
return LTrim(RTrim(value));
}
function hasDomainTld(strAddress)
{
var strUrlNow = trim(strAddress);
if(strUrlNow.match(/[,\s]/))
{
return false;
}
var i, regex = new RegExp();
regex.compile("[A-Za-z0-9\-_]+\\.[A-Za-z0-9\-_]+$");
i = regex.test(strUrlNow);
regex = null;
return i;
}
So your code, $(this) is window object, so I pass the objInput through an argument, using classical js instead of jQuery:
function checkIt(objInput)
{
var val = objInput.value;
if(val.match(/http:/i)) {
return false;
}
else if (hasDomainTld(val)) {
objInput.value = 'http://' + val;
}
}
Please test yourself: http://jsfiddle.net/SDUkZ/8/
The best solution i have found is to use the following regex:
/\.[a-zA-Z]{2,3}/
This detects the . after the url, and characters for the extension with a limit of 2/3 characters.
Does this seem ok for basic validation? Please let me know if you see any problems that could arise.
I know that it will detect email address's but this wont matter in this instance.
You need to narrow down your requirements first as URL detection with regular expressions can be very tricky. These are just a few situations where your parser can fail:
IDNs (госуслуги.рф)
Punycode cases (xn--blah)
New TLD being registered (.amazon)
SEO-friendly URLs (domain.com/Everything you need to know about RegEx.aspx)
We recently faced a similar problem and what we ended up doing was a simple check whether the URL starts with either http://, https://, or ftp:// and prepending with http:// if it doesn't start with any of the mentioned schemes. Here's the implementation in TypeScript:
public static EnsureAbsoluteUri(uri: string): string {
var ret = uri || '', m = null, i = -1;
var validSchemes = ko.utils.arrayMap(['http', 'https', 'ftp'], (i) => { return i + '://' });
if (ret && ret.length) {
m = ret.match(/[a-z]+:\/\//gi);
/* Checking against a list of valid schemes and prepending with "http://" if check fails. */
if (m == null || !m.length || (i = $.inArray(m[0].toLowerCase(), validSchemes)) < 0 ||
(i >= 0 && ret.toLowerCase().indexOf(validSchemes[i]) != 0)) {
ret = 'http://' + ret;
}
}
return ret;
}
As you can see, we're not trying to be smart here as we can't predict every possible URL form. Furthermore, this method is usually executed against field values we know are meant to be URLs so the change of misdetection is minimal.
Hope this helps.

argument problem On function argument ($0,$1);+jquery,js?

Doubt On function($0,$1);
// $0,$1 two argument
My question is this two argument are Not defined But it hold some data on it ???
can any on help to Understand
how this two argument run;
function strip_tags(input, allowed) {
allowed = (((allowed || "") + "").toLowerCase().match(/<[a-z][a-z0-9]*>/g) || []).join('');
//console.log('----------->'+allowed.join('ss'));
var tags = /<\/?([a-z][a-z0-9]*)\b[^>]*>/gi,
commentsAndPhpTags = /<!--[\s\S]*?-->|<\?(?:php)?[\s\S]*?\?>/gi;
return input.replace(commentsAndPhpTags,'').replace(tags, function ($0, $1) { // need help to understand $0 , $1
//console.log('----------->'+$1);
return allowed.indexOf('<' + $1.toLowerCase() + '>') > -1 ? $0 : '';
});
}
That is a really bad way to sanitize markup. It's almost guaranteed to have some loopholes. A simpler way would just be to strip all markup:
var stripTags = function(str) {
return str.replace(/<[^>]+>/g, '');
};
As far as allowing specific elements goes, it would be better to write a tokenizer, iterate over the tokens, drop everything that's not allowed, and then output the markup from those tokens.
But if you don't care to write a tokenizer, this would be a better way of going about it, even though it's still kind of crude:
var allowed = { p: true, a: true };
var sanitize = function(str) {
return str.replace(/<\s*\/?\s*([^\s>]+)[^>]*>/g, function(tag, name) {
if (!allowed[name.toLowerCase()]) {
return '';
}
return tag;
});
};
But as the comment above mentions, if you're only sanitizing a user's markup on the client-side, it's a major problem. You need to be doing sanitization on the server-side.
return input.replace(commentsAndPhpTags, '').replace(tags, function (input, group1) {
//console.log('----------->'+group1);
return allowed.indexOf('<' + group1.toLowerCase() + '>') > -1 ? input : '';
});
You regex /<\/?([a-z][a-z0-9]*)\b[^>]*>/gi contains only a group match, which will be the content inside parentheses ([a-z][a-z0-9]*), replace() will pass to your function the original string and the group matches.
However, your regex should be like this /(<\/?[a-z][a-z0-9]*\b[^>]*>)/gi in order to be able to strip the tags.

How to add JavaScript if the URL has a certain word?

I want to add the the following jQuery to the following pages only.
http://www.mywebsite.com/check-8.asp
http://www.mywebsite.com/edit-8.asp
http://www.mywebsite.com/cart-8.asp
So this means I want to add it where URL string contains either check-8, cart-8 or edit-8.
What is the best way with jQuery or JavaScript?
var text = $('#system td.td-main').html();
if (text != null)
{
var newtext = text.replace("Pris","<div id=\"pricebox\">Pris").replace("mva\)","mva\)</div>");
$('#system td.td-main').html(newtext);
}
Thanks in advance.
if(location.pathname.indexOf('check-8') > 0 || location.pathname.indexOf('cart-8') > 0 || location.pathname.indexOf('edit-8') > 0){
//your code here
}
Or you can use the following:
function testForCheckEditCart() {
var patt = /(check|edit|cart)-8/i;
return patt.test(location.href);
}
If you want a pure JavaScript solution, use the window.location property:
if (window.location.href.match(/(check|cart|edit)-8/).length > 0) {
// do your stuff
}
You can use the string.match method to check if it matches a Regex. You can also factor it out if you need to know which one it is:
var matches = window.location.href.match(/(check|cart|edit)-8/);
if (matches.length > 0) {
var action = matches[1]; // will be check, cart or edit
}

Categories

Resources