views:

130

answers:

8

In my website I have a forum, and I want to avoid cross site scripting. Do you know a good input validation script?

A: 

following are two articles by me for validating input field will help you to achieve your task

Enhanced Textbox Control

Generic Code of Validating Fields with Jquery

Pranay Rana
A: 

It depends on where do you want to write out the data. For example you need different filter when you write the text into an input field and when you write it simply into the html body, between two tags.

You should implement different filters for the different data types on server side. I suggest you should filter the text when it's printed out, and not when the user sends it to you(of course it's not about sql injections and other server side tricks), because (as I mentioned above) the type of the filter you should use is depends on where the data is printed out.

If you want to write a really simple forum, then it's enough to write only one filter, wich simply removes all html tags from the text before it's printed out. Beware, it's not good for advanced functions, for example edit comments, when you prefill a form for the user, or if the users can use any html tag in their comments, etc.

mimrock
+1  A: 

There are two ways to avoid Cross Site Scripting.

  1. Filter the inputs by the users (mainly script tags and html tags) both at client side as well as on server side.
  2. Display the contents as Html entities to avoid Cross Site Scripting. Ofcourse if you want to show some of the tags, go for option one. Otherwise option two is more reliable.

You can use regular expressions to filter the data both on client side as well as on server side.

anand
I am using appengine, and writing python..
arik
Both the methods mentioned above are language independent. In python you have a good regex support with 're' module to filter the contents.
anand
If you are using Django with appengine it automatically escapes the HTML enities by default.
anand
+1  A: 

I've always relied on the OWASP PHP filters: http://www.owasp.org/index.php/OWASP_PHP_Filters As you can tell from the name, they're server-side (JavaScript or HTML5 validation is only useful for assisting the user) and OWASP (the Open Web Application Security Project) is a non-profit organisation.

tagawa
A: 

Simple. Make sure you escape the HTML from your input object before using it. This way, the data sent will be treated as raw text. The way to do this will be to pass the input through some parser before embedding the data in your page (or working with it somehow).

Yasky
A: 

I agree with anand that there are two major ways to avoid XSS: validation on input and escaping on output. For validating form input, tie into Django's Form Validation Framework: http://code.google.com/appengine/articles/djangoforms.html

Here are some code samples for sanitizing on output within a Django templating. Instead of this:

Welcome, {{ firstname }}!

Do this:

Welcome, {{ firstname|escape }}!

This is from this very good blog post: http://startupsecurity.info/blog/2008/10/28/avoid-xss-on-google-app-engine/

Eric Nguyen
A: 

you have two option for validation. for non-sensitive data client side java script may be use. in java script, you can write simple function for validating your data. if you want it email me at [email protected] .

for sensitive data, you should be use server side scripting like, php,jsp,asp,asp.net etc.

may this will help you.

paraguma
A: 

Server Side

http://www.php.net/manual/en/function.html-entity-decode.php

http://www.php.net/manual/en/function.addslashes.php

http://www.php.net/manual/en/function.stripslashes.php

Check more string functions you need to validate

Client Side

http://www.position-relative.net/creation/formValidator/

better to write your own jquery code, in future it may help you

zod