63
Views
10
Comments
How to check if the input string has any html content in it 
Question

Hi All,

How to check if the string has any html content in it? Is there any inbuild function available to do this validation.

Thanks,

KJ


mvp_badge
MVP
Rank: #5

Hello Karthik

I don't know. Maybe in Forge you can find something.
The problem is that this requires "parsing" the string, and it would be a complex task.

If you are concerned of using an user input as the source to an inline statement in a SQL tool, for example, you should use the EncodeSQL function in case it is a simple value, or if it is a list, you can use the BuildSafe_InClause... functions

https://success.outsystems.com/Documentation/Best_Practices/Development/Building_Dynamic_SQL_Statements_the_Right_Way

Cheers.

Rank: #205

To complement what Eduardo said you can also use EncodeHtml() built-in function or SanitizeHTML() Sanitization extension module to prevent any malicious code passed into the string

https://success.outsystems.com/Documentation/11/Reference/Errors_and_Warnings/Warnings/HTML_Injection_Warning

Best regards

If you want to do it on server side use regex_search method with regex to check html tags it will return true if it does contain any html tag.

Regex should be like this :

"<\s*([^ >]+)[^>]*>.*?<\s*/\s*\1\s*>"

or 

"<(.|\n)*?>"

link: https://stackoverflow.com/questions/204646/how-to-validate-that-a-string-doesnt-contain-html-using-c-sharp

Or can give a try to this forge with regex, it will check regex at client side:

https://www.outsystems.com/forge/component-overview/6574/client-side-custom-regex-regular-expression-validations

https://www.outsystems.com/forge/component-overview/6578/regex-client-side-validation-sample


mvp_badge
MVP
Rank: #5

Abdul,

I think the Regex method will almost for sure give false positives... No?

Cheers!

mvp_badge
MVP
Rank: #5

I am asking if this regex will not mark some "normal" text as if they were HTML tags.
Like, not all text between < and > is an HTML tag...

mvp_badge
MVP
Rank: #5

Hum...

I would avoid trying to "validate" the text.
I would just sanitize it, using the same techniques in the link I sent (or that Carlos provided), to just strip out anything that can make like it is HTML/JavaScript/SQL, and move on.
Later, if the request was malicious, it will just fail... 

Again, trying to identify things in the text will be not efficient, and probably will give false positives...

But this decision depends on your requirements... (and how your service handles "invalid" requests).

Cheers.

mvp_badge
MVP
Rank: #128

Karthik Jeyaraman wrote:

Hi All,

How to check if the string has any html content in it? Is there any inbuild function available to do this validation.

Thanks,

KJ



Hi,

Could be helpful,


https://www.outsystems.com/forums/discussion/33685/how-to-filter-html-tags-while-searching-for-an-alphabet/


https://www.outsystems.com/forge/component-overview/145/html-utils


Thanks