tags:

views:

66

answers:

1
Q: 

Find Javascript Code inside String

Greetings friends,

I am developing a web application that will allow the customer to enter a personalized message, which will then be converted to HTML. Well, the problem is that I can not allow the insertion of Javascript code. So I need a method that filters the text, searching for and remove it. I think the regular expressions to solve my problem, but I'm having difficulty building. Some of his friends could help me, or has already developed something for this.

Thank you.

+4  A: 

You don't need to worry at what the customer enters and is saved into the database. You need to worry what you are showing in the View. All you need is to html encode the message before displaying it:

<%= Html.Encode(Model.TheMessage) %>

or using the new ASP.NET 4.0 code nugget:

<%: Model.TheMessage %>
Darin Dimitrov  2010-04-26 12:13:47
Friend, sorry did not explain, but I need to send the html email, and even export it, then I need to remove the javascript code.Issues of application security, as defined in the analysis.Thanks
Ph.E  2010-04-26 12:53:16
When you generate this HTML you need to encode properly HTML encode the user input.
Darin Dimitrov  2010-04-26 13:05:21
Buddy! Formats output like UTF-8?
Ph.E  2010-04-26 13:28:03
not a good advice "You don't need to worry at what the customer enters and is saved into the database" it a potential XSS vulnerability.
Cesar  2010-04-26 14:25:44
@Cesar, as long as you filter what you are showing in the HTML no XSS is possible.
Darin Dimitrov  2010-04-26 16:09:21

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps