ansaurus

Question

Answer 1

+3 A:

That's a pretty lame way of preventing cross-site scripting attacks. You need to use a completely different approach: make sure that your user-supplied input is:

Validated such that it matches the semantics of the data being gathered;
Appropriately quoted every time that it is used to construct expressions to be interpreted by some language interpreter (SQL, HTML, Javascript - even when going to a plain-text logfile). Appropriate quoting completely depends on the output context, and there is no single way to do it.

Pointy 2009-10-05 16:14:46

I am picking up an existing app where querystrings are put to the page. I need to check the values for javascript, e.g. alert, function, events etc and HTML. My above regex checks for tags but not for JS keywords etc. I want to strip the JS before its put to the page.

w4ymo 2009-10-05 21:49:33

Sorry, but I really don't understand what that means.

Pointy 2009-10-08 16:59:54

Answer 2

+4 A:

Nº 1 Rule: Use a whitelist, not a blacklist.

You are preventing one way to do a XSS, not any. To achieve this, you must validate the input against what you should accept as a user input, i.e.

If you expect a number, validate the input against /^\d{1, n}$/
If you expect a string, validate it against /^[\s\w\.\,]+$/, etc...

For further info, start reading the Wikipedia entry, the entry at OWASP, webappsec articles and some random blog entries written by unknown people

Rodrigo 2009-10-05 16:23:14

Sad nobody catch the "unknown people" joke

Rodrigo 2009-10-09 15:26:58

Answer 3

A:

It should be enough for you to check if the tag <script is present.

private bool checkForXSS(string value) 
{
    return value.IndexOf("<script") != -1;
}

Paulo Manuel Santos 2009-10-05 16:23:38

False. `onclick`, `onmouseover`, etc. can exist without script tags.

ceejayoz 2009-10-05 17:51:05

I can think of a handful of other ways of circumventing this; it is a poor approach.

Paul Lammertsma 2009-10-06 13:35:11

Ok, I didn't think of that...

Paulo Manuel Santos 2009-10-07 11:26:53

Answer 4

+1 A:

There are many ways to embed javascript. E.g.

  %3Cp+style="expression(alert('hi'))"

will make it through your filter.

You probably can't find a magical regexp that will find all JS and that won't reject a lot of valid query strings.

This kind of checking might be useful, but it should only be one part of a defense-in-depth.

Mike Samuel 2009-10-07 21:33:08

ansaurus

tags:

views:

answers:

Regex to detect Javascript In a string

related questions