Need to strip/disable script

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hello all,

My users can include html with their data, in order to control formatting,
images, etc. in the datagrid I return, but I want to make sure in certain
cases they can't enter script. When I find it I will replace with something
harmless, but I want to make sure I find it.

So, far I am trapping for:
- <script>
- onxxx=

Are there other ways they can inject script?

Also, are there other dangerous things they can do without using script?
(outside of the basics like SQL injection, DOS, etc.).

Thanks,

Bill
 
Yes, I'm checking for the latter, thanks.

Also, at least at IE6, the browser correctly ignores any leading spaces
between the "<" and the "script", but I'm on the lookout for this type of
syntactical loophole and other ways to sneak script in there. Any other
thoughts are appreciated.
 
There are numerous ways that one can slip it in. css style expressions
which Microsoft browsers support and events are 2 ways. There have also
been various xml/databinding related syntaxes that have been able to
provide attacks. I would try to see if you could simplify your
formatting somehow
 
I would html encode everything that is not on a white list. This way you are
sure that only approved html can be entered. Also if a new executable tag or
something like it is added you will already be blocking it.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Scripts --- homemade helpers !! 6
Regular expression for cleaning html safely 1
MPV - versitile fast lean player. 3
what's that ASP.NET db scripting tool? 1
DoPostBack sometimes isn't in HTML 6
Best free Asp.net to PDF Script 1
Framwork 1.1->2.0: PostBack error when client script is applied 5
Try Catch not working 4

Back
Top