I've got a free text form for people to submit feedback/support requests. Occasionally people will past in a support ticket or error log that contains something that triggers the .NET page validator as an XSS attempt. This takes the user to the error page as if the site choked on their input.
Preferably, I'd rather have the page do some client-side validation when they press the save button before it's actually submitted.
Is there a regex or some method I can hook into that would do the same basic check on the client side, or will I just have to write a regex that disallows certain characters all together like <
and >
?
Validate input on arrival Encoding is probably the most important line of XSS defense, but it is not sufficient to prevent XSS vulnerabilities in every context. You should also validate input as strictly as possible at the point when it is first received from a user.
Use the right META tag The benefit to using this meta tag is that it will greatly reduce the number of potential forms that an XSS script injection can take.
.NET 4.0's internal CrossSiteScriptingValidation uses the IsDangerousString method to match on these conditions:
If the only occurrence of < or & is at the end of the post data, then it's safe. If < is followed by a-z, A-Z, /, ?, or ! then it's unsafe. If & is followed by a #(octothorpe!) then it's unsafe.
This regex in javascript should work:
/^(?!(.|\n)*<[a-z!\/?])(?!(.|\n)*&#)(.|\n)*$/i
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With