User Input Validation

[Buddy Ackerman]

I have a form into which users will enter text. I want the user to be able to enter "some" HTML however I would like to prevent "bad" HTML. The "bad" HTML would be things like <SCRIPT>, <OBJECT>,
<APPLET>, etc. Does anyone know of a good server side validator that will catch this type of "bad" HTML input while allowing the acceptable input?


--Buddy

 

[Chris R. Timmons]

I have a form into which users will enter text. I want the user
to be able to enter "some" HTML however I would like to prevent
"bad" HTML. The "bad" HTML would be things like <SCRIPT>,
<OBJECT>,
<APPLET>, etc. Does anyone know of a good server side validator
that will catch this type of "bad" HTML input while allowing the
acceptable input?

Buddy,

Allowing a small subset of HTML tags within user input is fairly easy to do:

http://msdn.microsoft.com/library/d...tingagainstscriptexploitsinwebapplication.asp

or

http://tinyurl.com/3humm

 

[Peter Blum]

"Visual Input Security" (http://www.peterblum.com/vise/home.aspx) includes
validators that protect against Cross Site Scripting attacks, like you
describe. It Its validators are much more powerful than what you've
described because hackers can avoid those four nasty tags and still cause
these attacks. It also handles attacks on your database through SQL
Injection.

--- Peter Blum
www.PeterBlum.com
Email: (e-mail address removed)
Creator of "Professional Validation And More" at
http://www.peterblum.com/vam/home.aspx