473,405 Members | 2,334 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > asp / active server pages > questions > disabling ss scripting on submit

Join Bytes to post your question to a community of 473,405 software developers and data experts.

Disabling SS Scripting on submit

I was hired to make a Content Management System for a computer
consulting group, and it is almost done. It allows registered users
to submit code that is dynamically inserted into the Live website. It
works, BUT!

I only want CLIENT-SIDE code to be allowed for submission.

Can you give me some ideas as to what I should DIS-allow on submit?
First I will parse the submission using Javascript, and then I will
re-parse with ASP before I allow stuff to be inserted.

Here is my "lack List"so far... Disallow:

1. <%
2. %>
3. HTMLEncode
4. runat

Do you have some other ideas? I am sure other Server-Side scripting
technologies (like PHP and PERL) must use there own ways of doing
stuff, and I bet even in ASP I am forgetting a couple things...

Any help is appreciated.

Thanks,
Holden
PS: The "HTMLEncode" is for stuff like this:
Server.HTMLEncode( string )
PPS: The "runat" is to disallow stuff like this:
<script language="vbscript" runat="server">
Jul 19 '05 #1
3 1236
What does "dynamically inserted" mean? Do you inject this code directly
into a static ASP file? If you store it in a database and retrieve it at
run time, or insert it into an HTML code, it should work fine, and just be
ignored.

--
Aaron Bertrand
SQL Server MVP
http://www.aspfaq.com/


"Holden Caulfield" <co***********@hotmail.com> wrote in message
news:6d**************************@posting.google.c om...
I was hired to make a Content Management System for a computer
consulting group, and it is almost done. It allows registered users
to submit code that is dynamically inserted into the Live website. It
works, BUT!

I only want CLIENT-SIDE code to be allowed for submission.

Can you give me some ideas as to what I should DIS-allow on submit?
First I will parse the submission using Javascript, and then I will
re-parse with ASP before I allow stuff to be inserted.

Here is my "lack List"so far... Disallow:

1. <%
2. %>
3. HTMLEncode
4. runat

Do you have some other ideas? I am sure other Server-Side scripting
technologies (like PHP and PERL) must use there own ways of doing
stuff, and I bet even in ASP I am forgetting a couple things...

Any help is appreciated.

Thanks,
Holden
PS: The "HTMLEncode" is for stuff like this:
Server.HTMLEncode( string )
PPS: The "runat" is to disallow stuff like this:
<script language="vbscript" runat="server">

Jul 19 '05 #2
"Holden Caulfield" <co***********@hotmail.com> wrote in message
news:6d**************************@posting.google.c om...
I was hired to make a Content Management System for a computer
consulting group, and it is almost done. It allows registered users
to submit code that is dynamically inserted into the Live website. It
works, BUT!

I only want CLIENT-SIDE code to be allowed for submission.

Can you give me some ideas as to what I should DIS-allow on submit?
First I will parse the submission using Javascript, and then I will
re-parse with ASP before I allow stuff to be inserted.

Here is my "lack List"so far... Disallow:

1. <%
2. %>
3. HTMLEncode
4. runat

Do you have some other ideas? I am sure other Server-Side scripting
technologies (like PHP and PERL) must use there own ways of doing
stuff, and I bet even in ASP I am forgetting a couple things...

Any help is appreciated.

Thanks,
Holden
PS: The "HTMLEncode" is for stuff like this:
Server.HTMLEncode( string )
PPS: The "runat" is to disallow stuff like this:
<script language="vbscript" runat="server">


I can see why items 1, 2, and 4 would be disallowed... but why HTMLEncode?
HTMLEncode is part of the Server object... if you are not allowing <% then
HTMLEncode could never be executed, so this is redundant. I would get rid
of it.

You might consider disallowing server side include tags as well, though I'm
not sure how easy or difficult that would be. And perhaps "<?", "?>", and
"<!".

I guess it depends on how much control you want them to have. For example,
could they include </html> in their text, thus ending the page prematurely?

Regards,
Peter Foti

Jul 19 '05 #3
Thanks for the replies. By "dynamically inserted" I just mean that
users can edit the live site.

I can see why items 1, 2, and 4 would be disallowed... but why HTMLEncode?
HTMLEncode is part of the Server object... if you are not allowing <% then
HTMLEncode could never be executed, so this is redundant.
Point taken, Thanks!
You might consider disallowing server side include tags as well, though I'm
not sure how easy or difficult that would be. And perhaps "<?", "?>", and
The SS Includes is a great idea! Thanks. And the delimiters ("<?",
"?>") are great too, although I am unfamiliar with them...
I guess it depends on how much control you want them to have. For example,
could they include </html> in their text, thus ending the page prematurely?


I want to allow ANY client-side code, even if it is dumb. I want to
eliminate ALL server-side code.

Thanks for the ideas! Anyone else have anything to add?

Holden
Jul 19 '05 #4
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

16
Disabling Buttons?
by: Ralph Freshour | last post by:
How can I disable a button once it has been clicked? I want to prevent the user from clicking on it twice if they have a slow connection. Thanks...
Javascript
4
disabling form elements in IE
by: omidmottaghi | last post by:
I need to disable/enable form elements in my form. the code i was developed works fine in FF, but in IE, its behaviour is very strange!! in the form, we have a lot of checkboxes, all of them...
Javascript
2
Disabling LinkButton using JavaScript?
by: Jeelz | last post by:
Hi Guyz, Would appriciate any tip on disabling an ASP.NET LinkButton using client sided code like javascript. My Requirement is such that the user should be allowed to click on the link...
ASP.NET
3
Preventing Multiple submit (Disabling Submit Button Post Click) Solution
by: Mark | last post by:
This is a solution... Often users want to keep clicking "submit" when they are waiting for server processing. Most apps these days like to disable the submit button to prevent this. You can't just...
ASP.NET
7
enabling and disabling list boxes
by: John Meyer | last post by:
I have a program where I have to enable or disable a list box based upon a radio button. Is there an "enabled" property on select boxes?
Javascript
5
disabling button click
by: Joja | last post by:
I have form with one submit button. All i want to create is to allow user to make JUST ONE button click. After that click, button will be still displayed but it will be disabled. How to make this ?
Javascript
8
disabling the submit button after click
by: Willie | last post by:
Hi All; I have a form with multiple buttons and I would like to disable the buttons after the user clicks on the button to prevent multiple submitions. <input type="submit" name="return1"...
Javascript
9
Need help disabling a submit button onClick
by: poml | last post by:
Hello, first time posting on thescripts.com, and I'm in dire need of some help. All I want to do is disable the submit button (not the entire form) onClick, and am wondering if this is possible. ...
Javascript
1
Submit Form after disabling submit button
by: arggg | last post by:
I created a submit form that calls a javascript:AjAX Command that will call the data and submit it without have the page refresh. This works perfect in Firefox however in IE and Opera when the...
Javascript
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware
0
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
General
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing
0
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
Windows Server
0
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new...
Microsoft Access / VBA

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!