How to check if the input string has any html content in it

Hi All,

How to check if the string has any html content in it? Is there any inbuild function available to do this validation.

Thanks,

KJ


Hello Karthik

I don't know. Maybe in Forge you can find something.
The problem is that this requires "parsing" the string, and it would be a complex task.

If you are concerned of using an user input as the source to an inline statement in a SQL tool, for example, you should use the EncodeSQL function in case it is a simple value, or if it is a list, you can use the BuildSafe_InClause... functions

https://success.outsystems.com/Documentation/Best_Practices/Development/Building_Dynamic_SQL_Statements_the_Right_Way

Cheers.

To complement what Eduardo said you can also use EncodeHtml() built-in function or SanitizeHTML() Sanitization extension module to prevent any malicious code passed into the string

https://success.outsystems.com/Documentation/11/Reference/Errors_and_Warnings/Warnings/HTML_Injection_Warning

Best regards

If you want to do it on server side use regex_search method with regex to check html tags it will return true if it does contain any html tag.

Regex should be like this :

"<\s*([^ >]+)[^>]*>.*?<\s*/\s*\1\s*>"

or 

"<(.|\n)*?>"

link: https://stackoverflow.com/questions/204646/how-to-validate-that-a-string-doesnt-contain-html-using-c-sharp

Or can give a try to this forge with regex, it will check regex at client side:

https://www.outsystems.com/forge/component-overview/6574/client-side-custom-regex-regular-expression-validations

https://www.outsystems.com/forge/component-overview/6578/regex-client-side-validation-sample


Abdul,

I think the Regex method will almost for sure give false positives... No?

Cheers!

Eduardo Jauch wrote:

Abdul,

I think the Regex method will almost for sure give false positives... No?

Cheers!

Sorry, i dint get it. Can you please elaborate Do you wan to say regex search will not work in this case.

What I know is we can check html tags with regex,I have done this when I was woring with .net/C#. 

Please let me now if I missed something.


I am asking if this regex will not mark some "normal" text as if they were HTML tags.
Like, not all text between < and > is an HTML tag...

Eduardo Jauch wrote:

I am asking if this regex will not mark some "normal" text as if they were HTML tags.
Like, not all text between < and > is an HTML tag...

Yes you are right, if this is the case then it will mark them as html tag.

wanted to add following regex "(\<\w*)((\s\/\>)|(.*\<\/\w*\>))" will only return true if open "<" and closing "/> tag both found.

tested here https://www.regextester.com/95818 

Eduardo Jauch wrote:

Hello Karthik

I don't know. Maybe in Forge you can find something.
The problem is that this requires "parsing" the string, and it would be a complex task.

If you are concerned of using an user input as the source to an inline statement in a SQL tool, for example, you should use the EncodeSQL function in case it is a simple value, or if it is a list, you can use the BuildSafe_InClause... functions

https://success.outsystems.com/Documentation/Best_Practices/Development/Building_Dynamic_SQL_Statements_the_Right_Way

Cheers.

Thanks Eduardo, I am trying to validate the text received in the API request. I want to block those request which has html tags & set of special characters. I thought of adding a validation in the API's OnRequest action to validate the request text. Is there any other way to validate all the input strings in a API request?

Thanks, KJ 


Hum...

I would avoid trying to "validate" the text.
I would just sanitize it, using the same techniques in the link I sent (or that Carlos provided), to just strip out anything that can make like it is HTML/JavaScript/SQL, and move on.
Later, if the request was malicious, it will just fail... 

Again, trying to identify things in the text will be not efficient, and probably will give false positives...

But this decision depends on your requirements... (and how your service handles "invalid" requests).

Cheers.

Karthik Jeyaraman wrote:

Hi All,

How to check if the string has any html content in it? Is there any inbuild function available to do this validation.

Thanks,

KJ



Hi,

Could be helpful,


https://www.outsystems.com/forums/discussion/33685/how-to-filter-html-tags-while-searching-for-an-alphabet/


https://www.outsystems.com/forge/component-overview/145/html-utils


Thanks