Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Client validation that acts the same as .NET page validator/XSS prevention?

I've got a free text form for people to submit feedback/support requests. Occasionally people will past in a support ticket or error log that contains something that triggers the .NET page validator as an XSS attempt. This takes the user to the error page as if the site choked on their input.

Preferably, I'd rather have the page do some client-side validation when they press the save button before it's actually submitted.

Is there a regex or some method I can hook into that would do the same basic check on the client side, or will I just have to write a regex that disallows certain characters all together like < and >?

like image 385
FiniteLooper Avatar asked Feb 09 '11 17:02

FiniteLooper


People also ask

Does input validation prevent XSS?

Validate input on arrival Encoding is probably the most important line of XSS defense, but it is not sufficient to prevent XSS vulnerabilities in every context. You should also validate input as strictly as possible at the point when it is first received from a user.

Which is the best method to protect your website from XSS cross-site scripting?

Use the right META tag The benefit to using this meta tag is that it will greatly reduce the number of potential forms that an XSS script injection can take.


1 Answers

.NET 4.0's internal CrossSiteScriptingValidation uses the IsDangerousString method to match on these conditions:

If the only occurrence of < or & is at the end of the post data, then it's safe. If < is followed by a-z, A-Z, /, ?, or ! then it's unsafe. If & is followed by a #(octothorpe!) then it's unsafe.

This regex in javascript should work:

/^(?!(.|\n)*<[a-z!\/?])(?!(.|\n)*&#)(.|\n)*$/i
like image 111
Nick VanderPyle Avatar answered Sep 30 '22 07:09

Nick VanderPyle