|
|||||||||
|
|||||||||
|
|||||||||
 |
|||||||||
| |
||
|
|
|
| |||||||||
 |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread | Rate Thread | Display Modes |
ASP Free Forums Sponsor:
|
|
|
|
#1
January 12th, 2006, 05:10 PM
|
||||
|
||||
|
Cross site scripting prevention and security
Cross site scripting is a big problem on any dynamic page that sends data back to the user.
can reult in cookie and session data been stolen, and other things. prevention is cheaper than the cure with this function. Code:
function getUserInput(input, stringLength)
dim newString, regEx
Set regEx = New RegExp
' only specified length
newString = left(trim(input),stringLength)
if pFilteringLevel=1 then
regEx.Pattern = "([^A-Za-z0-9@=:/*|' _-]+.%)"
regEx.IgnoreCase = True
regEx.Global = True
newString = regEx.Replace(newString, "")
Set regEx = nothing
newString = replace(newString,"--","")
newString = replace(newString,";","")
newString = replace(newString,"'","'")
newString = replace(newString,"<script>","[script]")
end if
if pFilteringLevel=2 then
newString = replace(newString,"--","")
newString = replace(newString,";",";")
newString = replace(newString,"=","=")
newString = replace(newString,"(","(")
newString = replace(newString,")",")")
newString = replace(newString,"'","'")
newString = replace(newString,"""",""")
newString = replace(newString,"<script>","[script]")
end if
to use this here is an example Code:
Firstname = getUserInput(request.Form("fname"))
thats it, and you can add anything you dont want in your site, including swear words, certain comments, email address, links to other sites etc. enjoy
|
|
#2
April 19th, 2006, 05:02 PM
|
|||
|
|||
|
Could you please explain to me how this code works?
i understand the replacing, but not quite the regex and pFilteringLevel stuff, and the trim function is also new to me.
|
|
#3
April 19th, 2006, 05:58 PM
|
||||
|
||||
|
Just a note:
1) You forgot the "End Function" statement. 2) This line isn't formatted properly Code:
newString = replace(newString,"""",""") 3) Where does the "pFilteringLevel" variable come from, where is it being assigned? 4) Your function doesn't return a value 5) The validation can be bypassed by changing the case of the text from <script> to <SCRIPT> 6) The best way to prevent XSS attacks is to not allow these types of characters, and if you must allow them then replace them with their html equivalent character... Code:
Function CleanUserData(strValue) Make everything uppercase, so you don't have to worry about case sensitivity strValue = UCase(strValue) Replace the values with their HTML counterpart strValue = Replace(strValue, "<SCRIPT>", "& # 60 ; script & # 62 ;") strValue = Replace(strValue, "</SCRIPT>", "& # 60 ; & # 47 ;script & # 62 ;") Formatted this way because the browser will read it as html if I didn't separate it. Continue for all characters you want to clean, or you could even store the values you want replaced in a database along with their "clean" counterpart CleanUserData = strValue End Function Last edited by Memnoch : April 19th, 2006 at 06:01 PM.
|
|
#4
April 24th, 2006, 08:14 AM
|
||||
|
||||
|
okay me bad, sorry i just took it out of my code, the filter level is a setting i have, depending what part of the site i want it for.
hence no end function, as it goes on and on for a while, for my xml feed, and changing the text around and stuff. so below is corrected, and a few valid points taken. Code:
function getUserInput(input, stringLength)
dim newString, regEx
Set regEx = New RegExp
' only specified length
newString = left(trim(input),stringLength)
regEx.Pattern = "([^A-Za-z0-9@=:/*|' _-]+.%)<>()"
regEx.IgnoreCase = True
regEx.Global = True
newString = regEx.Replace(newString, "")
Set regEx = nothing
newString = replace(newString,"--","")
newString = replace(newString,";","")
newString = replace(newString,"'","'")
newString = replace(newString,"=","=")
newString = replace(newString,"(","[")
newString = replace(newString,")","]")
newString = replace(newString,"'","''")
newString = replace(newString,"<","[")
newString = replace(newString,">,"]")
getUserInput = newString
end function
have not capitolized, as the output would be formatted, not filtered. and also i have asked it to ignor case with this line here: regEx.ignorCase (as it was before) have taken out script, and just filtered < >( )for [ [ ] ] how this work: StrfirstName = GetUserInput(Trim(request.Form("firstName"),20) simply it takes the string and the max lenght you want it to be ie 20, and then filters. it first checks that it meets are pattern ie A-Z a-z ? . < > ( ) rather than chinese or anything else. the trim is just to drop any extra spaces after or before the string, once these basic settings are set it will then (if found) replace the charactor in the first " " with what is in the second so if you wanted to ban the word tickle but have it say wiggle you would add this: newString=Replace(newString,"tickle","wiggle") the data stored would be the data with the new changes applied. can also be used to format for database to stop single ' etc
__________________
A girl's best asset is her 'lie'ability. For Sale: Parachute. Only used once, never opened, small stain.  that fold thing  
|
|
| Viewing: ASP Free Forums > Programming > Code Bank > Cross site scripting prevention and security |
| Thread Tools | Search this Thread |
| Display Modes | Rate This Thread |
|
|
 |
|
|
|
|
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
Linear Mode
