I am validating a textarea form field, the results of which will
be subsequently returned to the browser. This presents serious
security problems since a user can submit javascript into a form
that will be executed when it is sent back to the browser.

What's the best way to prevent execution of JavaScript code submitted
through a form when the text is returned to the browser for confirmation?

For example, I need to suppress the following JavaScript:

<a href="someurl.asp" onMouseOver="alert('hello world')">here it
is</a>

I'd like the browser to display the JavaScript code as opposed to executing
it.

Phil

Try Server.HTMLEncode on the data before you display teh contents.

-- Dev

"Phil" <pagee@well.com> wrote in message news:38d7beee$1@news.devx.com...
:
: I am validating a textarea form field, the results of which will
: be subsequently returned to the browser. This presents serious
: security problems since a user can submit javascript into a form
: that will be executed when it is sent back to the browser.
:
: What's the best way to prevent execution of JavaScript code submitted
: through a form when the text is returned to the browser for confirmation?
:
: For example, I need to suppress the following JavaScript:
:
: <a href="someurl.asp" onMouseOver="alert('hello world')">here it
: is</a>
:
: I'd like the browser to display the JavaScript code as opposed to
executing
: it.
:
: Phil