Client validation, which acts the same as preventing .NET page authentication / XSS?

Question

Client validation, which acts the same as preventing .NET page authentication / XSS?

I have a free text form for people to send feedback / support requests. Sometimes people go by in a support ticket or in an error log that contains something that launches the .NET page validation tool as an XSS attempt. This displays the user on the error page, as if the site was choking on their input.

I prefer the page to do some client-side validation when they click the save button before it actually appears.

Is there a regular expression or a method with which I can connect, which would perform the same basic validation on the client side, or do I just need to write a regular expression, which prohibits certain characters together as <and >?

+5

regex .net validation asp.net

Chris barr Feb 09 '11 at 17:45

source share

1 answer

Nick VanderPyle · Accepted Answer · 2011-02-09T19:10:04+0000

CrossSiteScriptingValidation.NET 4.0 uses the IsDangerousString method to meet these conditions:

If a single occurrence <or is at the end of the mail data, then it is safe. If <follows az, AZ, / ,? or! it is not safe. If # (octotorp!) Also follows, then this is unsafe.

This regex in javascript should work:

/^(?!(.|\n)*<[a-z!\/?])(?!(.|\n)*&#)(.|\n)*$/i

Client validation, which acts the same as preventing .NET page authentication / XSS?

More articles: