By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
432,498 Members | 1,558 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 432,498 IT Pros & Developers. It's quick & easy.

User Input Validation

P: n/a
I have a form into which users will enter text. I want the user to be able to enter "some" HTML however I would like to prevent "bad" HTML. The "bad" HTML would be things like <SCRIPT>, <OBJECT>,
<APPLET>, etc. Does anyone know of a good server side validator that will catch this type of "bad" HTML input while allowing the acceptable input?
--Buddy
Nov 19 '05 #1
Share this Question
Share on Google+
2 Replies


P: n/a
Buddy Ackerman <bu**********@buddyackerman.com> wrote in
news:O6**************@TK2MSFTNGP09.phx.gbl:
I have a form into which users will enter text. I want the user
to be able to enter "some" HTML however I would like to prevent
"bad" HTML. The "bad" HTML would be things like <SCRIPT>,
<OBJECT>,
<APPLET>, etc. Does anyone know of a good server side validator
that will catch this type of "bad" HTML input while allowing the
acceptable input?


Buddy,

Allowing a small subset of HTML tags within user input is fairly easy to do:

http://msdn.microsoft.com/library/de...pplication.asp

or

http://tinyurl.com/3humm

--
Hope this helps.

Chris.
-------------
C.R. Timmons Consulting, Inc.
http://www.crtimmonsinc.com/
Nov 19 '05 #2

P: n/a
"Visual Input Security" (http://www.peterblum.com/vise/home.aspx) includes
validators that protect against Cross Site Scripting attacks, like you
describe. It Its validators are much more powerful than what you've
described because hackers can avoid those four nasty tags and still cause
these attacks. It also handles attacks on your database through SQL
Injection.

--- Peter Blum
www.PeterBlum.com
Email: PL****@PeterBlum.com
Creator of "Professional Validation And More" at
http://www.peterblum.com/vam/home.aspx

"Buddy Ackerman" <bu**********@buddyackerman.com> wrote in message
news:O6**************@TK2MSFTNGP09.phx.gbl...
I have a form into which users will enter text. I want the user to be able
to enter "some" HTML however I would like to prevent "bad" HTML. The "bad"
HTML would be things like <SCRIPT>, <OBJECT>, <APPLET>, etc. Does anyone
know of a good server side validator that will catch this type of "bad"
HTML input while allowing the acceptable input?
--Buddy

Nov 19 '05 #3

This discussion thread is closed

Replies have been disabled for this discussion.