Geek Answers Handbook

ASP.NET potentially dangerous Javascript Regex request

What is the regular expression that the Microsoft .NET Framework uses to perform a standard check that results in an HttpRequestValidationException "a potentially dangerous Request.Form value was detected by the client" when HTML or other potentially dangerous content is posted.

I would like the exact copy to be converted to JavaScript so that the user can be warned earlier.

My current regular expression (/ (& #) | <[^ <>] +> /) is close, but does not match .NET.

I know this may be different for different versions of .NET, so I would like to know:

  • Regular expression for .NET 2
  • Regular expression for .NET 4
+5
source share
2 answers

You can use some decompilation tool and see for yourself that there is no regular expression at all. It calls a static method CrossSiteScriptingValidation.IsDangerousString.

But perhaps you can use the Microsoft AntiXSS library to achieve the same. In any case, this is the method:

internal static bool IsDangerousString(string s, out int matchIndex)
{
    matchIndex = 0;
    int num1 = 0;
    int num2 = s.IndexOfAny(CrossSiteScriptingValidation.startingChars, num1);
    if (num2 < 0)
    {
        return false;
    }
    if (num2 == s.Length - 1)
    {
        return false;
    }
    matchIndex = num2;
    char chars = s.get_Chars(num2);
    if ((chars == 38 || chars == 60) && (CrossSiteScriptingValidation.IsAtoZ(s.get_Chars(num2 + 1)) || s.get_Chars(num2 + 1) == 33 || s.get_Chars(num2 + 1) == 47 || s.get_Chars(num2 + 1) == 63))
    {
        return true;
    }
    else
    {
        if (s.get_Chars(num2 + 1) == 35)
        {
            return true;
        }
    }
    num1 = num2 + 1;
}
+4
source

I could answer this in another question: fooobar.com/questions/1065413 / ...

This regular expression follows logic in .NET 4.

/^(?!(.|\n)*<[a-z!\/?])(?!(.|\n)*&#)(.|\n)*$/i

Look in the .NET source for CrossSiteScriptingValidation to find the logic Microsoft adheres to. fge is right, it does not use regex, instead it uses some loops and string comparisons. I suspect for performance.

+3

More articles:


All Articles