Thanks a lot for the thoughts so far. Just to clarify how the user input is going to work though: Users enter plain text only (any attempts to enter/insert html code into the submission form will be cleaned by a php script) which is then stored in a flat-file (.txt) database. I would then like to retreive that data for each marker and use html in each info window to format the text to something nicer (e.g. embolden all names, put comments in italics, space the text better, etc etc...) If that makes sense???
Surely there must be a way of enabling html to render in the info windows??? Thanks for the pointer about escape keys - I've amended the script so that the correct html is output, albeit in textual, un-rendered form for the moment... 2009/11/16 Gregory Short <[email protected]>: > On Nov 15, 2009, at 11:34 PM, Mike Williams wrote: > >> There doesn't seem to be a webserver at that URL, so I can't see what >> you're doing wrong. > > I just tried the link and it went (eventually). Either he fixed it, or > the server is just slow. > > Anyhow, clicking on the markers in their current form displays the > following: > > <html><body><b>some random text< >< ody><html> > > Your display problems aside, the html you're trying to use at the > moment is pretty clearly broken. It looks like maybe you forgot to > escape a / in your quoted strings in the php script outputting this > stuff. /b means escape-b, whereas //b means '/' followed by 'b', which > is what you want your resultant html to have. With that in mind, what > are your plans for when a user enters broken/invalid html as you have? > If the user enters sufficiently broken html, it will break all of > *your* html which follows. > > MW definitely cut to the important issue: quite likely the best > solution would be to treat user data as plain text. Doing otherwise > provides the user with all sorts of injection attack vectors against > your page, both malicious and unintentional. That is to say, you've > already executed a nearly-successful attack against your own page. > Good thing it wasn't rendering your data as html! If you can't trust > yourself, who *can* you trust? Surely not the internet at large. ;) > > -- > > You received this message because you are subscribed to the Google Groups > "Google Maps API" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/google-maps-api?hl=. > > > -- You received this message because you are subscribed to the Google Groups "Google Maps API" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-maps-api?hl=.
