How can I render user entered HTML without messing up my own page...

I have a case where user can enter some HTML code which is then stored
in the database. When I render the page with user's HTML any mistakes
made by the user might effect the layout of my page. For example, if
the user started a <table> tag, but did not finish it with a </table>
tag. This definitely breaks my own layout.

What I want to do, is somehow render's user's HTML (not in a popup)
without effecting my own html. I want to "SCOPE" user's html to a
particular area on the page.

Is there a way to do this with Java or JavaScript?

Thanks.
-AP_

Just a quick thought ....

When your user submits the HTML why not display it in a popup window and ask
them if they are sure this is correct ? If so then squirel it away in your
DB and display as intended next time.

Not sure how to do this in JS but could you search for open tags ( <?? ) and
then once found get the closing ones - messy but it would catch any
problems.

HTH

Chris

Alex Paransky <apara@standardset.com> writes:
> I have a case where user can enter some HTML code which is then stored
> in the database. When I render the page with user's HTML any mistakes
> made by the user might effect the layout of my page. For example, if
> the user started a <table> tag, but did not finish it with a </table>
> tag. This definitely breaks my own layout.
>
> What I want to do, is somehow render's user's HTML (not in a popup)
> without effecting my own html. I want to "SCOPE" user's html to a
> particular area on the page.
>
> Is there a way to do this with Java or JavaScript?

You could use IFRAME or OBJECT to keep the HTML in one place, though
there's accessibility and usability problems with that, and it may not
look much like you want either.

Perhaps a better solution would be to pass the HTML code through HTML
Tidy server-side, and then insert that into the database. Valid code
will be fine, invalid code will be fixed, though perhaps not in the
way that was intended. The suggestion made elsewhere of displaying a
preview is probably a good idea - preview post-tidy so they can fix
errors caused by tidy making the wrong guess about where to close the
tags.

--
Chris

Alex Paransky wrote:

> I have a case where user can enter some HTML code which is then stored
> in the database. When I render the page with user's HTML any mistakes
> made by the user might effect the layout of my page. For example, if
> the user started a <table> tag, but did not finish it with a </table>
> tag. This definitely breaks my own layout.

This can be broken down in to two issues, and should be handled on the
server by whatever process is putting the HTML in the database.

(1) Ensuring that user-entered HTML is valid and well formed

This is probably best done by running submitted data through a validator and
if any problems are found displaying an error message to them and asking
for it to be edited.

(2) Ensuring that the user can't muck anything up

This is usually best done with a whitelist of tags and attributes. Any HTML
used that isn't in the list gets either silently striped to returned to the
user with an error.

The whitelist would probably include tags such as <p>, but not <script> and
attributes such as lang, but not style.

An other option is to ban HTML entirely and use something like textile:
http://textism.com/tools/textile/

--
David Dorward http://david.us-lot.org/
Redesign in progress: http://stone.thecoreworlds.net/
Microsoft announces IE is dead (so upgrade):
http://minutillo.com/steve/weblog/20...ces-ie-is-dead

David Dorward <dorward@yahoo.com> wrote in message news:<1057239408.538553@news>...

> An other option is to ban HTML entirely and use something like textile:
> http://textism.com/tools/textile/


Or any of a number of wiki syntax offerings, like the one described at
http://allmyfaqs.com/faq.pl?Intro_and_Tour or
http://hytext.com/ww/cgi-bin/ww.pl?Quick_Start

---- jerry (WikiWriter lives at http://hytext.com/ww/ )