We would like to stop users inputing html or javascript in a text box.
We can just parse the input and check for angel brackets. Was wondering is there a better way to do this?
+3
A:
If you set Page.ValidateRequest = true then it will stop this.
From .net version 1.1 onwards (I think) this is set to true by default.
Robin Day
2009-09-15 14:52:38
ValidateRequest is utterly, utterly bogus, and betrays a dangerous misunderstanding of the problem. It's similar to PHP's much-derided magic_quotes_gpc in that it tries to fix an output problem (escaping) in the input layer. Like magic quotes, it breaks your application (eg. if it were on here at SO, we wouldn't be able to talk about HTML `<tags>` at all), whilst not actually guaranteeing its security (output doesn't all come directly from input and filters can be fooled).
bobince
2009-09-15 15:37:03
I don't deny anything you say and in almost all our applications it is turned off globally and any input/output is validated manually. However, this question says "We would like to stop users inputing html or javascript in a text box." ValidateRequest does this.
Robin Day
2009-09-15 16:54:57
Indeed. It's the right answer... just it may not be the right question!
bobince
2009-09-15 17:00:34
+5
A:
I have found that replacing the angel brackets with encoded angel brackets solves most problems. Here is a reference for all the ways people can cross-site script. Making a regex to stop any flavor of HTML and or Script is damn near impossible.
rick schott
2009-09-15 14:55:43
+1 Don't ‘check’ anything, escape it properly on the way out instead. Users should be able to type some angle brackets and they should appear as normal angle brackets on the page like this: < >. The correct method is called HtmlEncode (if the .NET controls are not escaping automatically for you in your template), and it affects ampersands and quotes (for text in attribute values) too.
bobince
2009-09-15 15:29:10
+1
A:
Page.ValidateRequest will stop this unless you have it turned off.
However, OWASP guidelines (as well pretty much all competent security guidelines) tell you that you should NOT try to limit bad characters in your validation, but instead you should filter so that only specifically allowed characters are used.
http://en.wikipedia.org/wiki/Secure_input_and_output_handling
http://www.owasp.org/index.php/Top_10_2007-A1
For good secure coding practices I would start here and bookmark the site for future reference. http://www.owasp.org/index.php/Top_10_2007
David Stratton
2009-09-15 16:03:33
A:
I came across this html utility. The code uses a white list of tags that are allowed to be entered. The script then formats the input text and removes tags and scripts that could be used for cross site scripting attackes.
For your purposes you could not have any tags in the white list.
skyfoot
2009-09-15 16:10:06