Hello guys, I am primarily an asp.net programmer, but lately I've been
doing some work with Apache, MySQL and PHP.
Anyways, I have a question that I posted in the microsoft asp.net
newsgroup. Thus far no one there has been able to answer it. I feel
some of you may know the answer, and that's why I'm posting it here...
I have a web app with two textboxes. The first textbox allows users to
type in various text, html tags and CSS. The second textbox, on post
back, will display/markup the text entered from the first textbox. The
idea is that users can insert their own "descriptions" for items
maintained by the website. Obviously if I am going to do something
like this I should be careful, with the threat of XSS attacks, etc...
And so I have decided to use regular expressions to help. I am
actually using something called a .net RegularExpressionValidator
server control...but what's important is that it get translated into
some javascript code that gets sent out with the HTTP response and
provides a regular expression validator in the browser.
Now, I need to block <script>, <object>, <html>, <body>, <headand
<formtags. What expression should I use to match these in the first
textbox? Thus far I cannot even get it to match when I type <script>
and then click my "Preview" button...the page posts back (it is not
blocked by the javascript validation) anyways and then I get
javascript errors in my browser.
I was advised to use the following expression...
\<script\to match <scriptin the first textbox. That does not work.
What expression should I use?
TIA,
JP
12  1360  jo*********@topscene.com wrote:
And so I have decided to use regular expressions to help. I am
actually using something called a .net RegularExpressionValidator
server control...but what's important is that it get translated into
some javascript code that gets sent out with the HTTP response and
provides a regular expression validator in the browser.
You specifically say that you want your regular expression to be in
javascript code and you post in a php group.
Guess what group is good for javascript questions?
On Tue, 23 Oct 2007 19:53:32 +0200, <jo*********@topscene.comwrote:
Hello guys, I am primarily an asp.net programmer, but lately I've been
doing some work with Apache, MySQL and PHP.
Anyways, I have a question that I posted in the microsoft asp.net
newsgroup. Thus far no one there has been able to answer it. I feel
some of you may know the answer, and that's why I'm posting it here...
I have a web app with two textboxes. The first textbox allows users to
type in various text, html tags and CSS. The second textbox, on post
back, will display/markup the text entered from the first textbox. The
idea is that users can insert their own "descriptions" for items
maintained by the website. Obviously if I am going to do something
like this I should be careful, with the threat of XSS attacks, etc...
And so I have decided to use regular expressions to help. I am
actually using something called a .net RegularExpressionValidator
server control...but what's important is that it get translated into
some javascript code that gets sent out with the HTTP response and
provides a regular expression validator in the browser.
Now, I need to block <script>, <object>, <html>, <body>, <headand
<formtags.
Are you sure you don't also want to disable inline javascript events for
any tag?
What expression should I use to match these in the first
textbox? Thus far I cannot even get it to match when I type <script>
and then click my "Preview" button...the page posts back (it is not
blocked by the javascript validation) anyways and then I get
javascript errors in my browser.
I was advised to use the following expression...
\<script\to match <scriptin the first textbox. That does not work.
What expression should I use?
/<script[^>]*>/i
--
Rik Wasmus
On Oct 23, 1:03 pm, "Rik Wasmus" <luiheidsgoe...@hotmail.comwrote:
On Tue, 23 Oct 2007 19:53:32 +0200, <joey.pow...@topscene.comwrote:
Hello guys, I am primarily an asp.net programmer, but lately I've been
doing some work with Apache, MySQL and PHP.
Anyways, I have a question that I posted in the microsoft asp.net
newsgroup. Thus far no one there has been able to answer it. I feel
some of you may know the answer, and that's why I'm posting it here...
I have a web app with two textboxes. The first textbox allows users to
type in various text, html tags and CSS. The second textbox, on post
back, will display/markup the text entered from the first textbox. The
idea is that users can insert their own "descriptions" for items
maintained by the website. Obviously if I am going to do something
like this I should be careful, with the threat of XSS attacks, etc...
And so I have decided to use regular expressions to help. I am
actually using something called a .net RegularExpressionValidator
server control...but what's important is that it get translated into
some javascript code that gets sent out with the HTTP response and
provides a regular expression validator in the browser.
Now, I need to block <script>, <object>, <html>, <body>, <headand
<formtags.
Are you sure you don't also want to disable inline javascript events for
any tag?
What expression should I use to match these in the first
textbox? Thus far I cannot even get it to match when I type <script>
and then click my "Preview" button...the page posts back (it is not
blocked by the javascript validation) anyways and then I get
javascript errors in my browser.
I was advised to use the following expression...
\<script\to match <scriptin the first textbox. That does not work.
What expression should I use?
/<script[^>]*>/i
--
Rik Wasmus- Hide quoted text -
- Show quoted text -
thanks, you're right
On Oct 23, 1:03 pm, "Paul Lautman" <paul.laut...@btinternet.com>
wrote:
joey.pow...@topscene.com wrote:
And so I have decided to use regular expressions to help. I am
actually using something called a .net RegularExpressionValidator
server control...but what's important is that it get translated into
some javascript code that gets sent out with the HTTP response and
provides a regular expression validator in the browser.
You specifically say that you want your regular expression to be in
javascript code and you post in a php group.
Guess what group is good for javascript questions?
Have you never used javascript in any of your web apps? If you just
read the post you will see that the heart of the question is at how to
use regular expressions. Have you never used ereg in any of your PHP
code?...sorry to ruin your day.
<jo*********@topscene.comwrote in message
news:11**********************@k35g2000prh.googlegr oups.com...
On Oct 23, 1:03 pm, "Paul Lautman" <paul.laut...@btinternet.com>
wrote:
>joey.pow...@topscene.com wrote:
And so I have decided to use regular expressions to help. I am
actually using something called a .net RegularExpressionValidator
server control...but what's important is that it get translated into
some javascript code that gets sent out with the HTTP response and
provides a regular expression validator in the browser.
You specifically say that you want your regular expression to be in
javascript code and you post in a php group.
Guess what group is good for javascript questions?
Have you never used javascript in any of your web apps? If you just
read the post you will see that the heart of the question is at how to
use regular expressions. Have you never used ereg in any of your PHP
code?...sorry to ruin your day.
keeping it purely php...NEVER use ereg. ALWAYS use preg. that is not an
exageration.
On Oct 23, 1:53 pm, "Steve" <no....@example.comwrote:
<joey.pow...@topscene.comwrote in message
news:11**********************@k35g2000prh.googlegr oups.com...
On Oct 23, 1:03 pm, "Paul Lautman" <paul.laut...@btinternet.com>
wrote:
joey.pow...@topscene.com wrote:
And so I have decided to use regular expressions to help. I am
actually using something called a .net RegularExpressionValidator
server control...but what's important is that it get translated into
some javascript code that gets sent out with the HTTP response and
provides a regular expression validator in the browser.
You specifically say that you want your regular expression to be in
javascript code and you post in a php group.
Guess what group is good for javascript questions?
Have you never used javascript in any of your web apps? If you just
read the post you will see that the heart of the question is at how to
use regular expressions. Have you never used ereg in any of your PHP
code?...sorry to ruin your day.
keeping it purely php...NEVER use ereg. ALWAYS use preg. that is not an
exageration.- Hide quoted text -
- Show quoted text -
again, thanks!
..oO(jo*********@topscene.com)
>I have a web app with two textboxes. The first textbox allows users to
type in various text, html tags and CSS. The second textbox, on post
back, will display/markup the text entered from the first textbox. The
idea is that users can insert their own "descriptions" for items
maintained by the website. Obviously if I am going to do something
like this I should be careful, with the threat of XSS attacks, etc...
Instead of allowing them to use full HTML, you should consider to use
something like BBCode for example. Give them just the things they need,
not more.
With full HTML there are _many_ different ways to include scripting.
It's very hard to block them all, so you shouldn't allow it at all.
Micha
Greetings, jo*********@topscene.com.
In reply to Your message dated Tuesday, October 23, 2007, 21:53:32,
jptcAnd so I have decided to use regular expressions to help. I am
jptcactually using something called a .net RegularExpressionValidator
jptcserver control...but what's important is that it get translated into
jptcsome javascript code that gets sent out with the HTTP response and
jptcprovides a regular expression validator in the browser.
In PHP, there's set useful functions.
Like strip_tags/fgetss, which strips unwanted tags from input source.
--
Sincerely Yours, AnrDaemon <an*******@freemail.ru>
"Michael Fesser" <ne*****@gmx.dewrote in message
news:m6********************************@4ax.com...
.oO(jo*********@topscene.com)
>>I have a web app with two textboxes. The first textbox allows users to
type in various text, html tags and CSS. The second textbox, on post
back, will display/markup the text entered from the first textbox. The
idea is that users can insert their own "descriptions" for items
maintained by the website. Obviously if I am going to do something
like this I should be careful, with the threat of XSS attacks, etc...
Instead of allowing them to use full HTML, you should consider to use
something like BBCode for example. Give them just the things they need,
not more.
With full HTML there are _many_ different ways to include scripting.
It's very hard to block them all, so you shouldn't allow it at all.
I just got fiished struggling with that very thing.
I finally decided to allow HTML - but only a couple of tags.
I built a simple regex that makes sure that anything within <is a P, H, I,
B - and that's it.
>
Micha
<jo*********@topscene.comwrote in message
news:11**********************@k35g2000prh.googlegr oups.com...
On Oct 23, 1:03 pm, "Paul Lautman" <paul.laut...@btinternet.com>
>Guess what group is good for javascript questions?
Have you never used javascript in any of your web apps? If you just
read the post you will see that the heart of the question is at how to
use regular expressions. Have you never used ereg in any of your PHP
code?...sorry to ruin your day.
I drink juice when I'm programming.
Let's talk about juice - since it's topical. ;)
On Oct 24, 12:06 pm, "Sanders Kaufman" <bu...@kaufman.netwrote:
"Michael Fesser" <neti...@gmx.dewrote in message
news:m6********************************@4ax.com...
.oO(joey.pow...@topscene.com)
>I have a web app with two textboxes. The first textbox allows users to
type in various text, html tags and CSS. The second textbox, on post
back, will display/markup the text entered from the first textbox. The
idea is that users can insert their own "descriptions" for items
maintained by the website. Obviously if I am going to do something
like this I should be careful, with the threat of XSS attacks, etc...
Instead of allowing them to use full HTML, you should consider to use
something like BBCode for example. Give them just the things they need,
not more.
With full HTML there are _many_ different ways to include scripting.
It's very hard to block them all, so you shouldn't allow it at all.
I just got fiished struggling with that very thing.
I finally decided to allow HTML - but only a couple of tags.
I built a simple regex that makes sure that anything within <is a P, H, I,
B - and that's it.
Micha- Hide quoted text -
- Show quoted text -
So do you have a simple expression that will match on "<script>" (omit
the double quotes)?
<jo*********@topscene.comwrote in message
news:11**********************@i13g2000prf.googlegr oups.com...
On Oct 24, 12:06 pm, "Sanders Kaufman" <bu...@kaufman.netwrote:
>"Michael Fesser" <neti...@gmx.dewrote in message
news:m6********************************@4ax.com.. .
.oO(joey.pow...@topscene.com)
>>I have a web app with two textboxes. The first textbox allows users to
type in various text, html tags and CSS. The second textbox, on post
back, will display/markup the text entered from the first textbox. The
idea is that users can insert their own "descriptions" for items
maintained by the website. Obviously if I am going to do something
like this I should be careful, with the threat of XSS attacks, etc...
Instead of allowing them to use full HTML, you should consider to use
something like BBCode for example. Give them just the things they need,
not more.
With full HTML there are _many_ different ways to include scripting.
It's very hard to block them all, so you shouldn't allow it at all.
I just got fiished struggling with that very thing.
I finally decided to allow HTML - but only a couple of tags.
I built a simple regex that makes sure that anything within <is a P, H,
I,
B - and that's it.
Micha- Hide quoted text -
- Show quoted text -
So do you have a simple expression that will match on "<script>" (omit
the double quotes)?
google. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Andrew Gaskell |
last post by:
Dear all
I'm having problems generating a regular expression in .NET, having
just started using regular expressions.
I am trying to validate a user's full name. So far I have:
* as the...
|
by: Sue |
last post by:
After finishing up my first quarter JavaScript on 12/12/03, I decided
to improve character checking on my project. In my project I only had
to do very basic validation. Therefore, I only had one...
|
by: OneSolution |
last post by:
I am trying to write a regular expression that will match all the exceptions
generated in my application log file. I have done it as such:
\bjava\.\w+\.\w+Exception:
However, there are two...
|
by: Buddy |
last post by:
Can someone please show me how to create a regular expression to do the
following
My text is set to
MyColumn{1, 100} Test
I want a regular expression that sets the text to the following...
|
by: Lee Kuhn |
last post by:
I am trying the create a regular expression that will essentially match
characters in the middle of a fixed-length string. The string may be any
characters, but will always be the same length. In...
|
by: Ludwig |
last post by:
Hi,
i'm using the regular expression \b\w to find the beginning of a word,
in my C# application. If the word is 'public', for example, it works.
However, if the word is '<public', it does not...
|
by: Mike |
last post by:
I have a regular expression (^(.+)(?=\s*).*\1 ) that results in
matches. I would like to get what the actual regular expression is.
In other words, when I apply ^(.+)(?=\s*).*\1 to " HEART...
|
by: Shawn B. |
last post by:
Greetings,
I have a troubling issue that I'm not sure how to approach at this point.
Given the HTML tag (any tag will do):
<div id='divSomething' onmouseover='...'>Next we write...
|
by: pedrito |
last post by:
I have a regex question and it never occurred to me to ask here, until I saw
Jesse Houwing's quick response to Phil for his Regex question.
I have some filenames that I'm trying to parse out of...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
| |
