i've searched here and in FAQ and can't find answer. is there a way to prevent user from including html tags in a field such as <a href = .... etc
thanks

in db.cgi
under the sub "parse_form"

I have the following added just after this line:
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;

perfect -- thank you!!! if you have time, could you explain the last line?

i'm having a problem. i have one field (external text field mod) that i am allowing html in only one database. i have a flag in cfg called $allow_html. i am able to add a new record with the tag. but when i modify the record it removes the tag. can you see what's wrong? here's my parse:

sub parse_form {
# --------------------------------------------------------
my (%in);
my ($buffer, $pair, $name, $value);
PAIR: foreach $name ($query->param()) {
@value = $query->param("$name");
$value = join '~~', @value;
$name =~ tr/+/ /;
$name =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
$value =~ tr/+/ /;
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
unless ($allow_html) {
$value =~ s/<!--(.|\n)*-->//g; # Remove SSI.
$value =~ s/<([^>]|\n)*>//g; # Removes HTML Tags 3/6/2008
$value =~ s/"//g; # Removes Quotes 3/6/2008
$value =~ s/N\.aN//g; # Removes JavaScript Number Errors: N.aN 3/6/2008
}
if ($value eq "---") { next PAIR; }
if ($value eq "http://") { next PAIR; } # Removes default beginning of URLs
unless ($value) { next PAIR; }
$in{$name} = $value;
}
return %in;
}

I have a form in my db that uses Javascript to calculate totals, etc. Every now and then someone will put in a space or some other character that causes the JavaScript to break.
JavaScript returns N.aN ("not a number" if i'm not mistaken) when it's given something like 2 + A = N.aN (instead of 2 + 2 = 4). The invalid number causes another db to crash when it finds something
other than a number in the field (upon importing the data into the new db).

As for the other item... I can only troubleshoot by process of elimination... lemme play with a copy of mine and see (unless someone else spots it - it'll prolly be obvious to anyone who knows perl
but I'm a hacker not a programmer so I can only hack at it. ha ha).

any luck on the "unless" statement? i tried several things but none worked....

no luck. i don't understand why it would ignore the unless statement. i've had problems before with scripts ignoring require statements inside conditions but i think i've read why and it made sense. but i don't see why it would ignore substitutions!

I was thinking that if they were "using strict" then maybe it was ignoring undeclared variables, but that doesn't seem to be the case... try adding "use warnings;" under the she-bang in db.cgi and see if it swquaks about
anything.

i typed use warnings; under the first line and i got a server error. i added -w to the shebang and it ran ok but i didn't get any warnings. was this correct?

i'm thinking about moving the substitutions to the validate record sub instead of parse form. what do you think??

The best I can tell is that the parse_form sub runs before anything else happens... if you move it to validate_record then you'd have the option of giving specific error messages for specific records
such as "please don't use html tags, etc." as opposed to just silently stripping them from the form input. Not sure if that'd create any security holes or not?