We use ASP to write forums or BBS program, often encounter such problems, when the user in my forum or BBS published above the article with HTML code, how can the normal display of this article with HTML code? If you don't do anything when you save data to the database or when you output the content to the browser, you'll get into trouble, for example, an article I published with the following code:
<script language= "JavaScript" >
for (i=1;i<=10000;i++)
{
Parent.moveby (20,20);p Arent.moveby ( -20,-20)
}
</script>
When other netizens read this article, he will find his browser is constantly beating, the whole screen is a mess, which is commonly known as "HTML Bomb." So in order to better serve our forum to post articles and read articles of netizens, we will shield similar "HTML bombs." There are generally two ways to block "HTML bombs":
The first is to use the ASP program to filter out the HTML bomb in the article before saving it to the database. The method is to replace all the English half-width characters "<" and ">" in the article with the English full-width characters "" and "" "and then save them to the database. The code is as follows:
'*******************************
' Save the content of the article
' Parameter: Ftitle article title
' Fcontent article content
'*******************************
Function Savedoc (ftitle,fcontent)
'..................
' Here is the code to join the database
'....................
' Filter out HTML bombs and single quotes
Ftitle =replace (Ftitle, "'", "" ", 1)
Ftitle =replace (Ftitle, "<", "the", 1)
Ftitle =replace (Ftitle, ">", ">", 1)
Fcontent =replace (fcontent, "'", "" ", 1)
Fcontent =replace (fcontent, "<", "the", 1)
Fcontent =replace (fcontent, ">", ">", 1)
' It's OK to save it to the appropriate database below.
'...................
End Function
The second method is to not do any processing before saving the article to the database, but only when displaying it to the browser, using ASP to handle the data taken from the database for proper display. Because the content of the article may be shown to two places, one is a simple reading, need to display to table, in addition to reply to the article, it is necessary to display into the textarea box, so the required two code is as follows:
'*****************************
' Read the contents of the article, displayed in the table
' parameter content is the contents of the article extracted from the database
In this way, even if the content of the article contains HTML code, or script statements, our forum or BBS can also be the normal content of the article displayed, can effectively prevent individual people on the forum or BBS malicious attacks, so that our forum or BBS more secure and strong.
Another area to note is that the content of the article should filter out single quotes before it is saved to the database, otherwise an error occurs when executing the SQL statement, since most database systems use single quotes as a split symbol.
(Above ASP program in WinNT4.0 English edition Sp5,iis4.0,ms SQL server7.0sp2 run through)
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
