filtro su blog

[maxcondor]

ho realizzato un semplice blog in asp.
L'utente inserisce un proprio commento utilizzando un form.
Vorrei impedire che un utente possa inserire codice html, quindi avevo pensato di filtrare il carattere < sostituendolo con un altro carattere. Potrebbe essere una soluzione al mio problema? Come faccio a filtrare i dati inseririti?

[[trodat]]

Utilizza il replace, cerca sul forum.

[dizionario]

codice:

messaggio=replace(messaggio,"<","&lt;")
messaggio=replace(messaggio,">","&gt;")

oppure se vuoi trasformare tutti i caratteri speciali oltre a < e > puoi fare così:

codice:

messaggio=Server.HTMLEncode(messaggio)

[maxcondor]

Mi date un aiutino? Questo è il codice per inserire un commento nel blog, dove inserisco il replace?

<%@LANGUAGE="JAVASCRIPT" CODEPAGE="1252"%>

<%
// *** Edit Operations: declare variables

// set the form action variable
var MM_editAction = Request.ServerVariables("SCRIPT_NAME");
if (Request.QueryString) {
MM_editAction += "?" + Server.HTMLEncode(Request.QueryString);
}

// boolean to abort record edit
var MM_abortEdit = false;

// query string to execute
var MM_editQuery = "";
%>
<%
// *** Insert Record: set variables

if (String(Request("MM_insert")) == "form2") {

var MM_editConnection = MM_conn_euro_STRING;
var MM_editTable = "Commenti";
var MM_editRedirectUrl = "commenti.asp";
var MM_fieldsStr = "nome|value|commento|value|ip|value|hiddenField|va lue";
var MM_columnsStr = "Nome|',none,''|Testo|',none,''|IP|',none,''|BlogI D|none,none,NULL";



// create the MM_fields and MM_columns arrays
var MM_fields = MM_fieldsStr.split("|");
var MM_columns = MM_columnsStr.split("|");

// set the form values
for (var i=0; i+1 < MM_fields.length; i+=2) {
MM_fields[i+1] = String(Request.Form(MM_fields[i]));
}

// append the query string to the redirect URL
if (MM_editRedirectUrl && Request.QueryString && Request.QueryString.Count > 0) {
MM_editRedirectUrl += ((MM_editRedirectUrl.indexOf('?') == -1)?"?":"&") + Request.QueryString;
}
}
%>
<%
// *** Insert Record: construct a sql insert statement and execute it

if (String(Request("MM_insert")) != "undefined") {

// create the sql insert statement
var MM_tableValues = "", MM_dbValues = "";
for (var i=0; i+1 < MM_fields.length; i+=2) {
var formVal = MM_fields[i+1];
var MM_typesArray = MM_columns[i+1].split(",");
var delim = (MM_typesArray[0] != "none") ? MM_typesArray[0] : "";
var altVal = (MM_typesArray[1] != "none") ? MM_typesArray[1] : "";
var emptyVal = (MM_typesArray[2] != "none") ? MM_typesArray[2] : "";
if (formVal == "" || formVal == "undefined") {
formVal = emptyVal;
} else {
if (altVal != "") {
formVal = altVal;
} else if (delim == "'") { // escape quotes
formVal = "'" + formVal.replace(/'/g,"''") + "'";
} else {
formVal = delim + formVal + delim;
}
}
MM_tableValues += ((i != 0) ? "," : "") + MM_columns[i];
MM_dbValues += ((i != 0) ? "," : "") + formVal;
}
MM_editQuery = "insert into " + MM_editTable + " (" + MM_tableValues + ") values (" + MM_dbValues + ")";

if (!MM_abortEdit) {
// execute the insert
var MM_editCmd = Server.CreateObject('ADODB.Command');
MM_editCmd.ActiveConnection = MM_editConnection;
MM_editCmd.CommandText = MM_editQuery;
MM_editCmd.Execute();
MM_editCmd.ActiveConnection.Close();

if (MM_editRedirectUrl) {
Response.Redirect(MM_editRedirectUrl);
}
}

}
%>
<%
var RecCommento__MMColParam = "1";
if (String(Request.QueryString("id")) != "undefined" &&
String(Request.QueryString("id")) != "") {
RecCommento__MMColParam = String(Request.QueryString("id"));
}
%>
<%
var RecCommento = Server.CreateObject("ADODB.Recordset");
RecCommento.ActiveConnection = MM_conn_euro_STRING;
RecCommento.Source = "SELECT * FROM Commenti WHERE BlogID = "+ RecCommento__MMColParam.replace(/'/g, "''") + " ORDER BY Data DESC";
RecCommento.CursorType = 0;
RecCommento.CursorLocation = 2;
RecCommento.LockType = 1;
RecCommento.Open();
var RecCommento_numRows = 0;
%>
<%
var Rec_blog__MMColParam = "1";
if (String(Request.QueryString("ID")) != "undefined" &&
String(Request.QueryString("ID")) != "") {
Rec_blog__MMColParam = String(Request.QueryString("ID"));
}
%>
<%
var Rec_blog = Server.CreateObject("ADODB.Recordset");
Rec_blog.ActiveConnection = MM_conn_euro_STRING;
Rec_blog.Source = "SELECT * FROM Blog WHERE ID = "+ Rec_blog__MMColParam.replace(/'/g, "''") + "";
Rec_blog.CursorType = 0;
Rec_blog.CursorLocation = 2;
Rec_blog.LockType = 1;
Rec_blog.Open();
var Rec_blog_numRows = 0;
%>

[maxcondor]

come la sintassi di replace per js?

[maxcondor]

nessuno mi sa dire dove devo inserire il replace?