Sanitizing forms in vibe.d. How?
Adam D. Ruppe via Digitalmars-d-learn
digitalmars-d-learn at puremagic.com
Thu Dec 15 11:57:49 PST 2016
On Monday, 12 December 2016 at 11:32:42 UTC, Nicholas Wilson
wrote:
> for strip_tags I would look for an xml library (e.g. arsd.dom)
> and parse it and then reprint it without the tags. There's
> probably a better way to do it though. I'm sure Adam Ruppe will
> be able to help you there.
Well, it depends what you are doing with it. If you are just
outputting user data, I wouldn't allow any HTML at all... but I'd
do it by encoding it all. So if they write "<script>" in the
form, the output will be "<script>", which is harmless.
dom.d's htmlEntitiesEncode will do that:
http://dpldocs.info/experimental-docs/arsd.dom.htmlEntitiesEncode.html
auto safe = htmlEntitiesEncode(user_data);
Compare htmlentities() in PHP.
If you want to allow some HTML but not all, then yeah, you can
use the full DOM parser and rip stuff out that way.
Element.stripOut
<http://dpldocs.info/experimental-docs/arsd.dom.Element.stripOut.html> can help with that, or innerText <http://dpldocs.info/experimental-docs/arsd.dom.Element.innerText.1.html>.
ask me if you need more
More information about the Digitalmars-d-learn
mailing list