|
RegEx for XSS (Cross-Site Scripting)?
Trying to use the RegularExpressionValidator with the following
expression [^0-9a-zA-Z] which functions well when using code with the System.Text.RegularExpressions class but the same expression will not function when used with the RegularExpressionValidator leaving me wondering "what?" The expression 'negates' any entry but those alphanumeric characters 0-9, a-z and A-Z thus I assume this expression would be sufficient to disallow XSS exploits noting as a matter of practice I will also continue to use Server.HtmlEncode. Comments regarding the dysfunction of the expression when used with the RegularExpressionValidator and 'your' methodology to prevent XSS exploits will be appreciated. -- <%= Clinton Gallagher, "Twice the Results -- Half the Cost" Architectural & e-Business Consulting -- Software Development NET csgallagher@REMOVETHISTEXTmetromilwaukee.com URL http://www.metromilwaukee.com/clintongallagher/ |
Re: RegEx for XSS (Cross-Site Scripting)?
Thank you for responding Peter. I'll work with the revised expression
and will certainly avail myself of your work as you referred. <%= Clinton Gallagher "Peter Blum" <PLBlum@Blum.info> wrote in message news:ec%23$ASplEHA.2680@TK2MSFTNGP15.phx.gbl... > Your expression should be enclosed in ^ and $ symbols so that every > character must be in this set. In addition, the use of negation is > incorrect. You want the validator to report an error when anything outside > of the letter or digit character set is given. You have indicated that only > these characters are illegal. > Here's a reworked expression: > ^[0-9a-zA-Z]*$ > > Since you are attempting to improve your site's security, please be aware > that there is a new product for ASP.NET sites to protect against XSS, SQL > injection, Input Tampering, and Brute Force Input attacks. I am the author. > It is "Visual Input Security" (http://www.peterblum.com/vise/home.aspx). > > --- Peter Blum > www.PeterBlum.com > Email: PLBlum@PeterBlum.com > Creator of "Professional Validation And More" at > http://www.peterblum.com/vam/home.aspx > > "clintonG" <csgallagher@REMOVETHISTEXTmetromilwaukee.com> wrote in message > news:urp1KeclEHA.536@TK2MSFTNGP11.phx.gbl... > > Trying to use the RegularExpressionValidator with the following > > expression [^0-9a-zA-Z] which functions well when using code > > with the System.Text.RegularExpressions class but the same > > expression will not function when used with the > > RegularExpressionValidator leaving me wondering "what?" > > > > The expression 'negates' any entry but those alphanumeric > > characters 0-9, a-z and A-Z thus I assume this expression > > would be sufficient to disallow XSS exploits noting as a matter > > of practice I will also continue to use Server.HtmlEncode. > > > > Comments regarding the dysfunction of the expression when used > > with the RegularExpressionValidator and 'your' methodology to > > prevent XSS exploits will be appreciated. > > > > -- > > <%= Clinton Gallagher, "Twice the Results -- Half the Cost" > > Architectural & e-Business Consulting -- Software Development > > NET csgallagher@REMOVETHISTEXTmetromilwaukee.com > > URL http://www.metromilwaukee.com/clintongallagher/ > > > > > > |
| All times are GMT. The time now is 06:24 AM. |
Powered by vBulletin®. Copyright ©2000 - 2013, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.