|
Posted by joey.powell on 10/23/07 18:41
On Oct 23, 1:03 pm, "Rik Wasmus" <luiheidsgoe...@hotmail.com> wrote:
> On Tue, 23 Oct 2007 19:53:32 +0200, <joey.pow...@topscene.com> wrote:
> > Hello guys, I am primarily an asp.net programmer, but lately I've been
> > doing some work with Apache, MySQL and PHP.
>
> > Anyways, I have a question that I posted in the microsoft asp.net
> > newsgroup. Thus far no one there has been able to answer it. I feel
> > some of you may know the answer, and that's why I'm posting it here...
>
> > I have a web app with two textboxes. The first textbox allows users to
> > type in various text, html tags and CSS. The second textbox, on post
> > back, will display/markup the text entered from the first textbox. The
> > idea is that users can insert their own "descriptions" for items
> > maintained by the website. Obviously if I am going to do something
> > like this I should be careful, with the threat of XSS attacks, etc...
>
> > And so I have decided to use regular expressions to help. I am
> > actually using something called a .net RegularExpressionValidator
> > server control...but what's important is that it get translated into
> > some javascript code that gets sent out with the HTTP response and
> > provides a regular expression validator in the browser.
>
> > Now, I need to block <script>, <object>, <html>, <body>, <head> and
> > <form> tags.
>
> Are you sure you don't also want to disable inline javascript events for
> any tag?
>
> > What expression should I use to match these in the first
> > textbox? Thus far I cannot even get it to match when I type <script>
> > and then click my "Preview" button...the page posts back (it is not
> > blocked by the javascript validation) anyways and then I get
> > javascript errors in my browser.
>
> > I was advised to use the following expression...
>
> > \<script\> to match <script> in the first textbox. That does not work.
> > What expression should I use?
>
> /<script[^>]*>/i
> --
> Rik Wasmus- Hide quoted text -
>
> - Show quoted text -
thanks, you're right
Navigation:
[Reply to this message]
|