tags:

views:

57

answers:

2
+1  Q: 

Javascript that prevents XSS

Hello,

is there a way that I could automatically format the input box via Javascript that prevents XSS before the user tries to click on the submit button?

like for instance, after a user types a script attack on a textbox, the javascript automatically formats the value within the textbox to a safe format.

btw, i'm not just relying on this procedure to prevent XSS, its just that our client base have phrases that triggers the ASP.Net to consider it as a XSS. here's the exact example:

the phrase: OMY G<W TUBE/OVARY will trigger the page to consider this as XSS while OMY G< W TUBE/OVARY isn't considered as a potential risk.

+3  A: 

No, there is not.

XSS can only be prevented at server time, by formatting the untrusted data for the given context it is about to be displayed in.

Noon Silk  2010-07-14 01:28:59
You are absolutely correct. However, Martin is not asking how to prevent XSS. He is merely asking how to thwart ASP.Net's XSS prevention system.
Mark Eirich  2010-07-14 01:32:10
@Mark: No he's not, and the way to "thwart" ASP.NET's prevention system is to turn it off. It's trivial.
Noon Silk  2010-07-14 01:33:34
Martin Ongtangco  2010-07-14 01:40:21
+1  A: 

Not hard, assuming that you can figure out exactly what triggers the ASP.Net XSS filter. For example, this will fix your shown case:

<form id="form" onsubmit="fix()">
    <input id="textbox" />
    <input type="submit" />
</form>
<script>
    function fix() {
        var t = document.getElementById('textbox');
        t.value = t.value.replace(/<(\w)/, '< $1');
    }
</script>

Please understand that this "solution" will NOT prevent XSS attacks in any way whatsoever, or validate the input in any way. XSS attacks can ONLY be prevented server-side.

Mark Eirich  2010-07-14 01:30:52
No, it won't. If JavaScript is disabled the invalid data will be sent through; and furthermore, it only "fixes" things sent through this form. It is not the only way to submit data to a server (you can craft the request manually). Data *must* be validated on display, not on input. This is the only way to do it correctly. Everything else is wrong.
Noon Silk  2010-07-14 01:32:12
This is not effective, the attacker can just disable JavaScript and avoid the filter. Or it could remove the event handler with a tool like Firebug or Groundspeed. Input validation on the client side does not work, the attacker can remove/bypass/cancel the filter. As @silky mention, has to be on the server-side.
fms  2010-07-14 01:34:58
there is server side prevention.
Martin Ongtangco  2010-07-14 01:43:09
@Martin: if you like my answer, it would be awesome if you mark it as "accepted". Thanks!
Mark Eirich  2010-07-14 01:47:56
NOTE: I allowed this answer not because it's the BEST PRACTICE as @Silky perfectly justified but because its the solution needed without TURNING OFF the Page Validation that protects the asp.net page. Please take note that I also have SERVER SIDE prevention aside from this.
Martin Ongtangco  2010-07-14 01:51:56

related questions

What JavaScript patterns do you use most?
Javascript events
What style do you use for creating an "class" in JavaScript?
Graphing JavaScript Library
What's the difference in closure style
Getting the text from a drop-down box
How to specify javascript to run when ModalPopupExtender is shown
Length of Javascript Associative Array
How Do I Post and then redirect to an external URL from ASP.Net?
How to set up a CSS switcher in ASP.NET
Wrapping lists into columns
Javascript keyboard events primer? (or rather: help me with my custom dropdown)
Http Auth in a Firefox 3 bookmarklet
Best Debugging Tools for JavaScript/xulrunner Development
How can I turn a string of HTML into a DOM object in a Firefox extension?
Call ASP.NET Function From Javascript?
Javascript troubleshooting tools in IE
MAC addresses in JavaScript
Capturing TAB key in text box
CSS Background Color in Javascript
How can I make the browser see CSS and Javascript changes?
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP .Net Custom Client-Side Validation
What JavaScript library would you choose for a new project and why?
Detecting font in JavaScript