0

I have a textarea in my web application where user can enter any thing and it will save it as string in db. In case user enter some Javascript code in textarea then it will execute when we try to see it in saved data page. Is there any generic way to prevent this.

Improve this question
1
  • Which framework are you using for your application? Commented May 5, 2015 at 10:52

1 Answer 1

Reset to default
1

You should never display input from a user without escaping it. You'd take the input the user gives you and store it as is, but when you display it again, you have to do proper escaping. Just manually stripping out <script> is not enough.

There are numerous ways of escaping content depending on the framework/platform you're using, and such functionality is probably even built into the templating solution you're using.

EDIT

I'm not familiar with the Stripes framework, but after a quick Google search this turned up: http://stripes.sourceforge.net/docs/current/javadoc/net/sourceforge/stripes/util/HtmlUtil.html

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

somebody inserted below as first name and then whenever we open web page it will give pop uo. Is there any generic way in stripes to prevent this. <script>alert(1);</script>
Edited my response with a possible solution.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.