469,290 Members | 1,882 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,290 developers. It's quick & easy.

Disabling SS Scripting on submit

I was hired to make a Content Management System for a computer
consulting group, and it is almost done. It allows registered users
to submit code that is dynamically inserted into the Live website. It
works, BUT!

I only want CLIENT-SIDE code to be allowed for submission.

Can you give me some ideas as to what I should DIS-allow on submit?
First I will parse the submission using Javascript, and then I will
re-parse with ASP before I allow stuff to be inserted.

Here is my "lack List"so far... Disallow:

1. <%
2. %>
3. HTMLEncode
4. runat

Do you have some other ideas? I am sure other Server-Side scripting
technologies (like PHP and PERL) must use there own ways of doing
stuff, and I bet even in ASP I am forgetting a couple things...

Any help is appreciated.

Thanks,
Holden
PS: The "HTMLEncode" is for stuff like this:
Server.HTMLEncode( string )
PPS: The "runat" is to disallow stuff like this:
<script language="vbscript" runat="server">
Jul 19 '05 #1
3 1178
What does "dynamically inserted" mean? Do you inject this code directly
into a static ASP file? If you store it in a database and retrieve it at
run time, or insert it into an HTML code, it should work fine, and just be
ignored.

--
Aaron Bertrand
SQL Server MVP
http://www.aspfaq.com/


"Holden Caulfield" <co***********@hotmail.com> wrote in message
news:6d**************************@posting.google.c om...
I was hired to make a Content Management System for a computer
consulting group, and it is almost done. It allows registered users
to submit code that is dynamically inserted into the Live website. It
works, BUT!

I only want CLIENT-SIDE code to be allowed for submission.

Can you give me some ideas as to what I should DIS-allow on submit?
First I will parse the submission using Javascript, and then I will
re-parse with ASP before I allow stuff to be inserted.

Here is my "lack List"so far... Disallow:

1. <%
2. %>
3. HTMLEncode
4. runat

Do you have some other ideas? I am sure other Server-Side scripting
technologies (like PHP and PERL) must use there own ways of doing
stuff, and I bet even in ASP I am forgetting a couple things...

Any help is appreciated.

Thanks,
Holden
PS: The "HTMLEncode" is for stuff like this:
Server.HTMLEncode( string )
PPS: The "runat" is to disallow stuff like this:
<script language="vbscript" runat="server">

Jul 19 '05 #2
"Holden Caulfield" <co***********@hotmail.com> wrote in message
news:6d**************************@posting.google.c om...
I was hired to make a Content Management System for a computer
consulting group, and it is almost done. It allows registered users
to submit code that is dynamically inserted into the Live website. It
works, BUT!

I only want CLIENT-SIDE code to be allowed for submission.

Can you give me some ideas as to what I should DIS-allow on submit?
First I will parse the submission using Javascript, and then I will
re-parse with ASP before I allow stuff to be inserted.

Here is my "lack List"so far... Disallow:

1. <%
2. %>
3. HTMLEncode
4. runat

Do you have some other ideas? I am sure other Server-Side scripting
technologies (like PHP and PERL) must use there own ways of doing
stuff, and I bet even in ASP I am forgetting a couple things...

Any help is appreciated.

Thanks,
Holden
PS: The "HTMLEncode" is for stuff like this:
Server.HTMLEncode( string )
PPS: The "runat" is to disallow stuff like this:
<script language="vbscript" runat="server">


I can see why items 1, 2, and 4 would be disallowed... but why HTMLEncode?
HTMLEncode is part of the Server object... if you are not allowing <% then
HTMLEncode could never be executed, so this is redundant. I would get rid
of it.

You might consider disallowing server side include tags as well, though I'm
not sure how easy or difficult that would be. And perhaps "<?", "?>", and
"<!".

I guess it depends on how much control you want them to have. For example,
could they include </html> in their text, thus ending the page prematurely?

Regards,
Peter Foti

Jul 19 '05 #3
Thanks for the replies. By "dynamically inserted" I just mean that
users can edit the live site.

I can see why items 1, 2, and 4 would be disallowed... but why HTMLEncode?
HTMLEncode is part of the Server object... if you are not allowing <% then
HTMLEncode could never be executed, so this is redundant.
Point taken, Thanks!
You might consider disallowing server side include tags as well, though I'm
not sure how easy or difficult that would be. And perhaps "<?", "?>", and
The SS Includes is a great idea! Thanks. And the delimiters ("<?",
"?>") are great too, although I am unfamiliar with them...
I guess it depends on how much control you want them to have. For example,
could they include </html> in their text, thus ending the page prematurely?


I want to allow ANY client-side code, even if it is dumb. I want to
eliminate ALL server-side code.

Thanks for the ideas! Anyone else have anything to add?

Holden
Jul 19 '05 #4

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

16 posts views Thread by Ralph Freshour | last post: by
4 posts views Thread by omidmottaghi | last post: by
2 posts views Thread by Jeelz | last post: by
7 posts views Thread by John Meyer | last post: by
5 posts views Thread by Joja | last post: by
8 posts views Thread by Willie | last post: by
1 post views Thread by CARIGAR | last post: by
reply views Thread by zhoujie | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.