Check for script in asp.net text box

Question

We would like to stop users inputing html or javascript in a text box.

We can just parse the input and check for angel brackets. Was wondering is there a better way to do this?

Answer 1

I have found that replacing the angel brackets with encoded angel brackets solves most problems. Here is a reference for all the ways people can cross-site script. Making a regex to stop any flavor of HTML and or Script is damn near impossible.

Answer 2

If you set Page.ValidateRequest = true then it will stop this.

From .net version 1.1 onwards (I think) this is set to true by default.

Answer 3

Can you use a regular expression validator to verify the input?

Answer 4

Page.ValidateRequest will stop this unless you have it turned off.

However, OWASP guidelines (as well pretty much all competent security guidelines) tell you that you should NOT try to limit bad characters in your validation, but instead you should filter so that only specifically allowed characters are used.

http://en.wikipedia.org/wiki/Secure_input_and_output_handling

http://www.owasp.org/index.php/Top_10_2007-A1

For good secure coding practices I would start here and bookmark the site for future reference. http://www.owasp.org/index.php/Top_10_2007