Hello guys, I am primarily an asp.net programmer, but lately I've been
doing some work with Apache, MySQL and PHP.
Anyways, I have a question that I posted in the microsoft asp.net
newsgroup. Thus far no one there has been able to answer it. I feel
some of you may know the answer, and that's why I'm posting it here...
I have a web app with two textboxes. The first textbox allows users to
type in various text, html tags and CSS. The second textbox, on post
back, will display/markup the text entered from the first textbox. The
idea is that users can insert their own "descriptio ns" for items
maintained by the website. Obviously if I am going to do something
like this I should be careful, with the threat of XSS attacks, etc...
And so I have decided to use regular expressions to help. I am
actually using something called a .net RegularExpressi onValidator
server control...but what's important is that it get translated into
some javascript code that gets sent out with the HTTP response and
provides a regular expression validator in the browser.
Now, I need to block <script>, <object>, <html>, <body>, <headand
<formtags. What expression should I use to match these in the first
textbox? Thus far I cannot even get it to match when I type <script>
and then click my "Preview" button...the page posts back (it is not
blocked by the javascript validation) anyways and then I get
javascript errors in my browser.
I was advised to use the following expression...
\<script\to match <scriptin the first textbox. That does not work.
What expression should I use?
TIA,
JP 12 1390 jo*********@top scene.com wrote:
And so I have decided to use regular expressions to help. I am
actually using something called a .net RegularExpressi onValidator
server control...but what's important is that it get translated into
some javascript code that gets sent out with the HTTP response and
provides a regular expression validator in the browser.
You specifically say that you want your regular expression to be in
javascript code and you post in a php group.
Guess what group is good for javascript questions?
On Tue, 23 Oct 2007 19:53:32 +0200, <jo*********@to pscene.comwrote :
Hello guys, I am primarily an asp.net programmer, but lately I've been
doing some work with Apache, MySQL and PHP.
Anyways, I have a question that I posted in the microsoft asp.net
newsgroup. Thus far no one there has been able to answer it. I feel
some of you may know the answer, and that's why I'm posting it here...
I have a web app with two textboxes. The first textbox allows users to
type in various text, html tags and CSS. The second textbox, on post
back, will display/markup the text entered from the first textbox. The
idea is that users can insert their own "descriptio ns" for items
maintained by the website. Obviously if I am going to do something
like this I should be careful, with the threat of XSS attacks, etc...
And so I have decided to use regular expressions to help. I am
actually using something called a .net RegularExpressi onValidator
server control...but what's important is that it get translated into
some javascript code that gets sent out with the HTTP response and
provides a regular expression validator in the browser.
Now, I need to block <script>, <object>, <html>, <body>, <headand
<formtags.
Are you sure you don't also want to disable inline javascript events for
any tag?
What expression should I use to match these in the first
textbox? Thus far I cannot even get it to match when I type <script>
and then click my "Preview" button...the page posts back (it is not
blocked by the javascript validation) anyways and then I get
javascript errors in my browser.
I was advised to use the following expression...
\<script\to match <scriptin the first textbox. That does not work.
What expression should I use?
/<script[^>]*>/i
--
Rik Wasmus
On Oct 23, 1:03 pm, "Rik Wasmus" <luiheidsgoe... @hotmail.comwro te:
On Tue, 23 Oct 2007 19:53:32 +0200, <joey.pow...@to pscene.comwrote :
Hello guys, I am primarily an asp.net programmer, but lately I've been
doing some work with Apache, MySQL and PHP.
Anyways, I have a question that I posted in the microsoft asp.net
newsgroup. Thus far no one there has been able to answer it. I feel
some of you may know the answer, and that's why I'm posting it here...
I have a web app with two textboxes. The first textbox allows users to
type in various text, html tags and CSS. The second textbox, on post
back, will display/markup the text entered from the first textbox. The
idea is that users can insert their own "descriptio ns" for items
maintained by the website. Obviously if I am going to do something
like this I should be careful, with the threat of XSS attacks, etc...
And so I have decided to use regular expressions to help. I am
actually using something called a .net RegularExpressi onValidator
server control...but what's important is that it get translated into
some javascript code that gets sent out with the HTTP response and
provides a regular expression validator in the browser.
Now, I need to block <script>, <object>, <html>, <body>, <headand
<formtags.
Are you sure you don't also want to disable inline javascript events for
any tag?
What expression should I use to match these in the first
textbox? Thus far I cannot even get it to match when I type <script>
and then click my "Preview" button...the page posts back (it is not
blocked by the javascript validation) anyways and then I get
javascript errors in my browser.
I was advised to use the following expression...
\<script\to match <scriptin the first textbox. That does not work.
What expression should I use?
/<script[^>]*>/i
--
Rik Wasmus- Hide quoted text -
- Show quoted text -
thanks, you're right
On Oct 23, 1:03 pm, "Paul Lautman" <paul.laut...@b tinternet.com>
wrote:
joey.pow...@top scene.com wrote:
And so I have decided to use regular expressions to help. I am
actually using something called a .net RegularExpressi onValidator
server control...but what's important is that it get translated into
some javascript code that gets sent out with the HTTP response and
provides a regular expression validator in the browser.
You specifically say that you want your regular expression to be in
javascript code and you post in a php group.
Guess what group is good for javascript questions?
Have you never used javascript in any of your web apps? If you just
read the post you will see that the heart of the question is at how to
use regular expressions. Have you never used ereg in any of your PHP
code?...sorry to ruin your day.
<jo*********@to pscene.comwrote in message
news:11******** **************@ k35g2000prh.goo glegroups.com.. .
On Oct 23, 1:03 pm, "Paul Lautman" <paul.laut...@b tinternet.com>
wrote:
>joey.pow...@to pscene.com wrote:
And so I have decided to use regular expressions to help. I am
actually using something called a .net RegularExpressi onValidator
server control...but what's important is that it get translated into
some javascript code that gets sent out with the HTTP response and
provides a regular expression validator in the browser.
You specifically say that you want your regular expression to be in javascript code and you post in a php group.
Guess what group is good for javascript questions?
Have you never used javascript in any of your web apps? If you just
read the post you will see that the heart of the question is at how to
use regular expressions. Have you never used ereg in any of your PHP
code?...sorry to ruin your day.
keeping it purely php...NEVER use ereg. ALWAYS use preg. that is not an
exageration.
On Oct 23, 1:53 pm, "Steve" <no....@example .comwrote:
<joey.pow...@to pscene.comwrote in message
news:11******** **************@ k35g2000prh.goo glegroups.com.. .
On Oct 23, 1:03 pm, "Paul Lautman" <paul.laut...@b tinternet.com>
wrote:
joey.pow...@top scene.com wrote:
And so I have decided to use regular expressions to help. I am
actually using something called a .net RegularExpressi onValidator
server control...but what's important is that it get translated into
some javascript code that gets sent out with the HTTP response and
provides a regular expression validator in the browser.
You specifically say that you want your regular expression to be in
javascript code and you post in a php group.
Guess what group is good for javascript questions?
Have you never used javascript in any of your web apps? If you just
read the post you will see that the heart of the question is at how to
use regular expressions. Have you never used ereg in any of your PHP
code?...sorry to ruin your day.
keeping it purely php...NEVER use ereg. ALWAYS use preg. that is not an
exageration.- Hide quoted text -
- Show quoted text -
again, thanks!
..oO(jo******** *@topscene.com)
>I have a web app with two textboxes. The first textbox allows users to type in various text, html tags and CSS. The second textbox, on post back, will display/markup the text entered from the first textbox. The idea is that users can insert their own "descriptio ns" for items maintained by the website. Obviously if I am going to do something like this I should be careful, with the threat of XSS attacks, etc...
Instead of allowing them to use full HTML, you should consider to use
something like BBCode for example. Give them just the things they need,
not more.
With full HTML there are _many_ different ways to include scripting.
It's very hard to block them all, so you shouldn't allow it at all.
Micha
Greetings, jo*********@top scene.com.
In reply to Your message dated Tuesday, October 23, 2007, 21:53:32,
jptcAnd so I have decided to use regular expressions to help. I am
jptcactually using something called a .net RegularExpressi onValidator
jptcserver control...but what's important is that it get translated into
jptcsome javascript code that gets sent out with the HTTP response and
jptcprovides a regular expression validator in the browser.
In PHP, there's set useful functions.
Like strip_tags/fgetss, which strips unwanted tags from input source.
--
Sincerely Yours, AnrDaemon <an*******@free mail.ru>
"Michael Fesser" <ne*****@gmx.de wrote in message
news:m6******** *************** *********@4ax.c om...
.oO(jo********* @topscene.com)
>>I have a web app with two textboxes. The first textbox allows users to type in various text, html tags and CSS. The second textbox, on post back, will display/markup the text entered from the first textbox. The idea is that users can insert their own "descriptio ns" for items maintained by the website. Obviously if I am going to do something like this I should be careful, with the threat of XSS attacks, etc...
Instead of allowing them to use full HTML, you should consider to use
something like BBCode for example. Give them just the things they need,
not more.
With full HTML there are _many_ different ways to include scripting.
It's very hard to block them all, so you shouldn't allow it at all.
I just got fiished struggling with that very thing.
I finally decided to allow HTML - but only a couple of tags.
I built a simple regex that makes sure that anything within <is a P, H, I,
B - and that's it.
>
Micha
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Andrew Gaskell |
last post by:
Dear all
I'm having problems generating a regular expression in .NET, having
just started using regular expressions.
I am trying to validate a user's full name. So far I have:
* as the regular expression to prevent the user entering digits.
However I also want to disallow the following characters which have no
|
by: Sue |
last post by:
After finishing up my first quarter JavaScript on 12/12/03, I decided
to improve character checking on my project. In my project I only had
to do very basic validation. Therefore, I only had one function to
verify the name fields, age, email and gender.
My question is: if I create a function for each field like the code
below, what would be the best way to organize the functions and call
them? Would I need one main function and place...
|
by: OneSolution |
last post by:
I am trying to write a regular expression that will match all the exceptions
generated in my application log file. I have done it as such:
\bjava\.\w+\.\w+Exception:
However, there are two exceptions that I know will occur and I don't care to
catch them. So I need to modify the above regular expression to ignore the
two exceptions that will get generated.
I don't know how to do that. Your help will be much appreciated.
|
by: Buddy |
last post by:
Can someone please show me how to create a regular expression to do the
following
My text is set to
MyColumn{1, 100} Test
I want a regular expression that sets the text to the following
testMyColumn{1, 100}Test
Basically I want the regular expression to add the word test infront of the
|
by: Lee Kuhn |
last post by:
I am trying the create a regular expression that will essentially match
characters in the middle of a fixed-length string. The string may be any
characters, but will always be the same length. In other words, as the
regular expression (....)($) matches the "4567" in the string "1234567", how
would I create a similar regular expression that only matches the "45" in
the same string. The same regular expression would match "32" in the string...
| |
by: Ludwig |
last post by:
Hi,
i'm using the regular expression \b\w to find the beginning of a word,
in my C# application. If the word is 'public', for example, it works.
However, if the word is '<public', it does not work: it seems that <
is not a valid character, so the beginning of the word starts at
theletter 'p' instead of '<'.
Because I'm not an expert in regular expressions, maybe someone of you
guys can help me? I need the correct regex to find the...
|
by: Mike |
last post by:
I have a regular expression (^(.+)(?=\s*).*\1 ) that results in
matches. I would like to get what the actual regular expression is.
In other words, when I apply ^(.+)(?=\s*).*\1 to " HEART (CONDUCTION
DEFECT) 37.33/2 HEART (CONDUCTION DEFECT) WITH
CATHETER 37.34/2 " the expression is "HEART (CONDUCTION DEFECT)". How
do I gain access to the expression (not the matches) at runtime?
Thanks,
Mike
|
by: Shawn B. |
last post by:
Greetings,
I have a troubling issue that I'm not sure how to approach at this point.
Given the HTML tag (any tag will do):
<div id='divSomething' onmouseover='...'>Next we write
onmouseover='alert(message);' ...</div>
|
by: pedrito |
last post by:
I have a regex question and it never occurred to me to ask here, until I saw
Jesse Houwing's quick response to Phil for his Regex question.
I have some filenames that I'm trying to parse out of URLs.
(href=("|')http://.www\.thesite\.com/.{1,7}/)(?<filename>.)
This generally works, but the problem is some of the image files have
..th.jpg at the end to indicate thumbnails. I want to exclude those. I just
want the ones that don't have...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
| |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |