Check for script in asp.net text box
Question
We would like to stop users inputing html or javascript in a text box.
We can just parse the input and check for angel brackets. Was wondering is there a better way to do this?
5 answers
solution1
5 ACCPTED 2009-09-15 14:55:43
I have found that replacing the angel brackets with encoded angel brackets solves most problems. Here is a reference for all the ways people can cross-site script. Making a regex to stop any flavor of HTML and or Script is damn near impossible.
solution2
3 2009-09-15 14:52:38
If you set Page.ValidateRequest = true then it will stop this.
From .net version 1.1 onwards (I think) this is set to true by default.
solution3
2 2009-09-15 14:49:09
你能使用正则表达式验证器来验证输入吗?
solution4
1 2009-09-15 16:03:33
Page.ValidateRequest will stop this unless you have it turned off.
However, OWASP guidelines (as well pretty much all competent security guidelines) tell you that you should NOT try to limit bad characters in your validation, but instead you should filter so that only specifically allowed characters are used.
http://en.wikipedia.org/wiki/Secure_input_and_output_handling
http://www.owasp.org/index.php/Top_10_2007-A1
For good secure coding practices I would start here and bookmark the site for future reference. http://www.owasp.org/index.php/Top_10_2007
solution5
0 2009-09-15 16:10:06
I came across this html utility. The code uses a white list of tags that are allowed to be entered. The script then formats the input text and removes tags and scripts that could be used for cross site scripting attackes.
For your purposes you could not have any tags in the white list.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.