Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > RegEx for XSS (Cross-Site Scripting)?

Reply
Thread Tools

RegEx for XSS (Cross-Site Scripting)?

 
 
clintonG
Guest
Posts: n/a
 
      09-08-2004
Trying to use the RegularExpressionValidator with the following
expression [^0-9a-zA-Z] which functions well when using code
with the System.Text.RegularExpressions class but the same
expression will not function when used with the
RegularExpressionValidator leaving me wondering "what?"

The expression 'negates' any entry but those alphanumeric
characters 0-9, a-z and A-Z thus I assume this expression
would be sufficient to disallow XSS exploits noting as a matter
of practice I will also continue to use Server.HtmlEncode.

Comments regarding the dysfunction of the expression when used
with the RegularExpressionValidator and 'your' methodology to
prevent XSS exploits will be appreciated.

--
<%= Clinton Gallagher, "Twice the Results -- Half the Cost"
Architectural & e-Business Consulting -- Software Development
NET http://www.velocityreviews.com/forums/(E-Mail Removed)
URL http://www.metromilwaukee.com/clintongallagher/


 
Reply With Quote
 
 
 
 
clintonG
Guest
Posts: n/a
 
      09-10-2004
Thank you for responding Peter. I'll work with the revised expression
and will certainly avail myself of your work as you referred.

<%= Clinton Gallagher


"Peter Blum" <(E-Mail Removed)> wrote in message
news:ec%23$(E-Mail Removed)...
> Your expression should be enclosed in ^ and $ symbols so that every
> character must be in this set. In addition, the use of negation is
> incorrect. You want the validator to report an error when anything outside
> of the letter or digit character set is given. You have indicated that

only
> these characters are illegal.
> Here's a reworked expression:
> ^[0-9a-zA-Z]*$
>
> Since you are attempting to improve your site's security, please be aware
> that there is a new product for ASP.NET sites to protect against XSS, SQL
> injection, Input Tampering, and Brute Force Input attacks. I am the

author.
> It is "Visual Input Security" (http://www.peterblum.com/vise/home.aspx).
>
> --- Peter Blum
> www.PeterBlum.com
> Email: (E-Mail Removed)
> Creator of "Professional Validation And More" at
> http://www.peterblum.com/vam/home.aspx
>
> "clintonG" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Trying to use the RegularExpressionValidator with the following
> > expression [^0-9a-zA-Z] which functions well when using code
> > with the System.Text.RegularExpressions class but the same
> > expression will not function when used with the
> > RegularExpressionValidator leaving me wondering "what?"
> >
> > The expression 'negates' any entry but those alphanumeric
> > characters 0-9, a-z and A-Z thus I assume this expression
> > would be sufficient to disallow XSS exploits noting as a matter
> > of practice I will also continue to use Server.HtmlEncode.
> >
> > Comments regarding the dysfunction of the expression when used
> > with the RegularExpressionValidator and 'your' methodology to
> > prevent XSS exploits will be appreciated.
> >
> > --
> > <%= Clinton Gallagher, "Twice the Results -- Half the Cost"
> > Architectural & e-Business Consulting -- Software Development
> > NET (E-Mail Removed)
> > URL http://www.metromilwaukee.com/clintongallagher/
> >
> >

>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How make regex that means "contains regex#1 but NOT regex#2" ?? seberino@spawar.navy.mil Python 3 07-01-2008 03:06 PM
Help with validateRequest (XSS) cummings695 ASP .Net 0 12-14-2006 01:24 PM
Cross-site scripting (XSS) defense johnzenger@gmail.com Python 3 06-16-2006 09:52 PM
XSS Clementine Computer Security 1 06-25-2005 11:58 AM
asp.net XSS protection Aaron ASP .Net 1 04-19-2005 08:54 AM



Advertisments