"<script type="text/javascript"> function sanitize(input) { return input .replace(/([^a-z\d\s]+)/gi, ' ') .replace(/(\s+)/gi, ' '); } // Parse the URL parameter function getParameterByName(name, url) { if (!url) url = window.location.href; name = name.replace(/[\[\]]/g, "\\$&"); var regex = new RegExp("[?&]" + name + "(=([^&#]*)|&|#|$)"), results = regex.exec(url); if (!results) return null; if (!results[2]) return ''; return decodeURIComponent(results[2].replace(/\+/g, " ")); } // Give the parameter a variable name and sanitize var dynamicContent = sanitize(getParameterByName('donor')); var dynamicContent2 = sanitize(getParameterByName('amount')); //Output the text to the page document.getElementById("formText").innerText = dynamicContent document.getElementById("formText2").innerText = dynamicContent2 </script>"
"It all works as expected and I've tested adding things like ?donor=<a href="https://example.com>click</a>&amount=5 and it strips out the characters to stop it making a working link etc. Other than that is there anything that i should do with the above code or will that safely allow me to display a message along the lines of - Dear 'Donor' thanks for £'Amount' from the url variables? I'd normally do it in PHP but i don't have access to that in this setup and I'm not great with JS. Any thoughts appreciated. Thanks"
A JavaScript sanitize function replaces non-alphanumeric characters and collapses whitespace before inserting URL parameters into page elements. A getParameterByName function extracts query parameters and decodeURIComponent is used to decode values. The code assigns sanitized donor and amount values into elements with IDs formText and formText2 using innerText. Testing with a malicious link like ?donor=<a href="https://example.com>click</a>&amount=5 shows that HTML characters are stripped. Client-side sanitization prevents direct HTML injection, but JavaScript can be disabled, so server-side validation and numeric validation for amounts remain necessary for full security.
Read at SitePoint Forums | Web Development & Design Community
Unable to calculate read time
Collection
[
|
...
]