Check script in asp.net text box

We would like to prevent users from entering html or javascript in the text box.

We can simply analyze the input and check the angel brackets. I wonder if there is a better way to do this?

+5

javascript asp.net webforms

Shiraz bhaiji 15 sept. '09 at 14:47

5 answers

I found that replacing angel brackets with encoded angel brackets solves most of the problems. Here is a link for all the ways people can cross site script. Creating a regular expression to stop every taste of HTML and Script is almost impossible.

+5

rick schott 15 sept. '09 at 14:55

If you set Page.ValidateRequest = true, then this will stop this.

.net 1.1 ( ) true.

+3

Robin Day 15 . '09 14:52

?

+2

bechbd 15 . '09 14:49

Page.ValidateRequest , .

OWASP ( ) , , , .

http://en.wikipedia.org/wiki/Secure_input_and_output_handling

http://www.owasp.org/index.php/Top_10_2007-A1

. http://www.owasp.org/index.php/Top_10_2007

+1

David 15 . '09 16:03

I came across this html utility. The code uses a white list of tags that are allowed for input. The script then formats the input text and removes tags and scripts that can be used to attack using cross-site scripting.

For your purposes, you cannot have any tags in the white list.

0

skyfoot 15 sept. '09 at 16:10

All Articles