// Filter out what you think are harmful
string comments = SanitizeData(this.txtComments.Text);
// Process the input fields
comments = System.Web.HttpUtility.HtmlEncode(comments);
}
private string SanitizeData(string input)
{
Regex badChars =
new Regex(@”(\n?<script[^>]*?>.*?</script[^>]*?>)(\n?<script[^>]*?/>)”);
string goodChars = badChars.Replace(input, “”);
return goodChars;
}
As Haidar acknowledges later on, blacklisting is of limited capability.
The Code above unfortunately is easily bypassed. Consider the following input:
<b>hello<s<script></script>cript>alert('hi')</script>;</b>
Of course RequestValidation should nullify the above string. However, in some cases, RequestValidation is turned off (to allow legal tags like <b> and <i>). In those cases whitelisting might be the best route to follow.
For example we could first convert all angle brackets < to something safe like a parenthesis (. Then we can go back and convert only legal sequences to tags; like for instance (i> to <i>.
private string SanitizeData(string input)
{
new Regex(@"<");
string goodChars = badChars.Replace(input, "(");
badChars = new Regex(@"\(i");
goodChars = badChars.Replace(goodChars, "<i");
return goodChars;
}
No comments:
Post a Comment