|
|
Posted by Rik Wasmus on 10/23/07 18:03
On Tue, 23 Oct 2007 19:53:32 +0200, <joey.powell@topscene.com> wrote:
> Hello guys, I am primarily an asp.net programmer, but lately I've been
> doing some work with Apache, MySQL and PHP.
>
> Anyways, I have a question that I posted in the microsoft asp.net
> newsgroup. Thus far no one there has been able to answer it. I feel
> some of you may know the answer, and that's why I'm posting it here...
>
> I have a web app with two textboxes. The first textbox allows users to
> type in various text, html tags and CSS. The second textbox, on post
> back, will display/markup the text entered from the first textbox. The
> idea is that users can insert their own "descriptions" for items
> maintained by the website. Obviously if I am going to do something
> like this I should be careful, with the threat of XSS attacks, etc...
>
> And so I have decided to use regular expressions to help. I am
> actually using something called a .net RegularExpressionValidator
> server control...but what's important is that it get translated into
> some javascript code that gets sent out with the HTTP response and
> provides a regular expression validator in the browser.
>
> Now, I need to block <script>, <object>, <html>, <body>, <head> and
> <form> tags.
Are you sure you don't also want to disable inline javascript events for
any tag?
> What expression should I use to match these in the first
> textbox? Thus far I cannot even get it to match when I type <script>
> and then click my "Preview" button...the page posts back (it is not
> blocked by the javascript validation) anyways and then I get
> javascript errors in my browser.
>
> I was advised to use the following expression...
>
> \<script\> to match <script> in the first textbox. That does not work.
> What expression should I use?
/<script[^>]*>/i
--
Rik Wasmus
Navigation:
[Reply to this message]
|