|
|
Posted by joey.powell on 10/23/07 17:53
Hello guys, I am primarily an asp.net programmer, but lately I've been
doing some work with Apache, MySQL and PHP.
Anyways, I have a question that I posted in the microsoft asp.net
newsgroup. Thus far no one there has been able to answer it. I feel
some of you may know the answer, and that's why I'm posting it here...
I have a web app with two textboxes. The first textbox allows users to
type in various text, html tags and CSS. The second textbox, on post
back, will display/markup the text entered from the first textbox. The
idea is that users can insert their own "descriptions" for items
maintained by the website. Obviously if I am going to do something
like this I should be careful, with the threat of XSS attacks, etc...
And so I have decided to use regular expressions to help. I am
actually using something called a .net RegularExpressionValidator
server control...but what's important is that it get translated into
some javascript code that gets sent out with the HTTP response and
provides a regular expression validator in the browser.
Now, I need to block <script>, <object>, <html>, <body>, <head> and
<form> tags. What expression should I use to match these in the first
textbox? Thus far I cannot even get it to match when I type <script>
and then click my "Preview" button...the page posts back (it is not
blocked by the javascript validation) anyways and then I get
javascript errors in my browser.
I was advised to use the following expression...
\<script\> to match <script> in the first textbox. That does not work.
What expression should I use?
TIA,
JP
Navigation:
[Reply to this message]
|