471,853 Members | 1,600 Online
Bytes | Software Development & Data Engineering Community
Post +

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 471,853 software developers and data experts.

Disabling SS Scripting on submit

I was hired to make a Content Management System for a computer
consulting group, and it is almost done. It allows registered users
to submit code that is dynamically inserted into the Live website. It
works, BUT!

I only want CLIENT-SIDE code to be allowed for submission.

Can you give me some ideas as to what I should DIS-allow on submit?
First I will parse the submission using Javascript, and then I will
re-parse with ASP before I allow stuff to be inserted.

Here is my "lack List"so far... Disallow:

1. <%
2. %>
3. HTMLEncode
4. runat

Do you have some other ideas? I am sure other Server-Side scripting
technologies (like PHP and PERL) must use there own ways of doing
stuff, and I bet even in ASP I am forgetting a couple things...

Any help is appreciated.

Thanks,
Holden
PS: The "HTMLEncode" is for stuff like this:
Server.HTMLEncode( string )
PPS: The "runat" is to disallow stuff like this:
<script language="vbscript" runat="server">
Jul 19 '05 #1
3 1203
What does "dynamically inserted" mean? Do you inject this code directly
into a static ASP file? If you store it in a database and retrieve it at
run time, or insert it into an HTML code, it should work fine, and just be
ignored.

--
Aaron Bertrand
SQL Server MVP
http://www.aspfaq.com/


"Holden Caulfield" <co***********@hotmail.com> wrote in message
news:6d**************************@posting.google.c om...
I was hired to make a Content Management System for a computer
consulting group, and it is almost done. It allows registered users
to submit code that is dynamically inserted into the Live website. It
works, BUT!

I only want CLIENT-SIDE code to be allowed for submission.

Can you give me some ideas as to what I should DIS-allow on submit?
First I will parse the submission using Javascript, and then I will
re-parse with ASP before I allow stuff to be inserted.

Here is my "lack List"so far... Disallow:

1. <%
2. %>
3. HTMLEncode
4. runat

Do you have some other ideas? I am sure other Server-Side scripting
technologies (like PHP and PERL) must use there own ways of doing
stuff, and I bet even in ASP I am forgetting a couple things...

Any help is appreciated.

Thanks,
Holden
PS: The "HTMLEncode" is for stuff like this:
Server.HTMLEncode( string )
PPS: The "runat" is to disallow stuff like this:
<script language="vbscript" runat="server">

Jul 19 '05 #2
"Holden Caulfield" <co***********@hotmail.com> wrote in message
news:6d**************************@posting.google.c om...
I was hired to make a Content Management System for a computer
consulting group, and it is almost done. It allows registered users
to submit code that is dynamically inserted into the Live website. It
works, BUT!

I only want CLIENT-SIDE code to be allowed for submission.

Can you give me some ideas as to what I should DIS-allow on submit?
First I will parse the submission using Javascript, and then I will
re-parse with ASP before I allow stuff to be inserted.

Here is my "lack List"so far... Disallow:

1. <%
2. %>
3. HTMLEncode
4. runat

Do you have some other ideas? I am sure other Server-Side scripting
technologies (like PHP and PERL) must use there own ways of doing
stuff, and I bet even in ASP I am forgetting a couple things...

Any help is appreciated.

Thanks,
Holden
PS: The "HTMLEncode" is for stuff like this:
Server.HTMLEncode( string )
PPS: The "runat" is to disallow stuff like this:
<script language="vbscript" runat="server">


I can see why items 1, 2, and 4 would be disallowed... but why HTMLEncode?
HTMLEncode is part of the Server object... if you are not allowing <% then
HTMLEncode could never be executed, so this is redundant. I would get rid
of it.

You might consider disallowing server side include tags as well, though I'm
not sure how easy or difficult that would be. And perhaps "<?", "?>", and
"<!".

I guess it depends on how much control you want them to have. For example,
could they include </html> in their text, thus ending the page prematurely?

Regards,
Peter Foti

Jul 19 '05 #3
Thanks for the replies. By "dynamically inserted" I just mean that
users can edit the live site.

I can see why items 1, 2, and 4 would be disallowed... but why HTMLEncode?
HTMLEncode is part of the Server object... if you are not allowing <% then
HTMLEncode could never be executed, so this is redundant.
Point taken, Thanks!
You might consider disallowing server side include tags as well, though I'm
not sure how easy or difficult that would be. And perhaps "<?", "?>", and
The SS Includes is a great idea! Thanks. And the delimiters ("<?",
"?>") are great too, although I am unfamiliar with them...
I guess it depends on how much control you want them to have. For example,
could they include </html> in their text, thus ending the page prematurely?


I want to allow ANY client-side code, even if it is dumb. I want to
eliminate ALL server-side code.

Thanks for the ideas! Anyone else have anything to add?

Holden
Jul 19 '05 #4

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

16 posts views Thread by Ralph Freshour | last post: by
4 posts views Thread by omidmottaghi | last post: by
2 posts views Thread by Jeelz | last post: by
7 posts views Thread by John Meyer | last post: by
5 posts views Thread by Joja | last post: by
8 posts views Thread by Willie | last post: by
NeoPa
reply views Thread by NeoPa | last post: by
reply views Thread by YellowAndGreen | last post: by
aboka
reply views Thread by aboka | last post: by

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.