cve60069 Posted October 12, 2013 Share Posted October 12, 2013 Hello I need to disable malicious scripts from entering through an input text box. Is there an example of the code necessary to disable < and %3 type instructions. I am sure there are more. Regards Link to comment Share on other sites More sharing options...
davej Posted October 12, 2013 Share Posted October 12, 2013 This is not an appropriate task for Javascript. This is a task for your server-side code such as Php or Dot-Net. Link to comment Share on other sites More sharing options...
MrFish Posted October 13, 2013 Share Posted October 13, 2013 This is not an appropriate task for Javascript. This is a task for your server-side code such as Php or Dot-Net. This. If I can elaborate- The reason is because- like html- javascript can be changed by the user after it's sent out. That and there's more than one way to submit a form without a browser. The golden rule is that you can never trust anything coming from a user and your server always needs to validate it. Doesn't matter if it's web or a desktop application. Pretty much everything can be changed on the users computer. Link to comment Share on other sites More sharing options...
cve60069 Posted October 13, 2013 Author Share Posted October 13, 2013 I want to prevent cross-site scripting such as described in the javascript definitive guide (o'reilly) page 336: ie name.replace(/</g,"<"). My question was; are there other control-codes such as < I need to replace. Regards Link to comment Share on other sites More sharing options...
cve60069 Posted October 13, 2013 Author Share Posted October 13, 2013 This did the trick var n = text.replace(/</g,'<').replace(/>/g,'>').replace(/%3C/g,'<').replace(/%3E/g,'>') Link to comment Share on other sites More sharing options...
davej Posted October 13, 2013 Share Posted October 13, 2013 (edited) This is said to be for XSS. The book references http://www.cert.org/advisories/CA-2000-02.html Can we actually inject a <script>? I cannot seem to get it to work using a input text field. <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>xss test</title><script>window.onerror = function(m, u, l){alert('Javascript Error: '+m+'nURL: '+u+'nLine Number: '+l);return true;}</script><script>window.onload = init;function init(){document.getElementById('btn1').onclick = put;var txt = '';document.getElementById('out1').innerHTML = 'length: '+ txt.length;document.getElementById('out2').innerHTML = txt;}function put(){var txt = document.getElementById('in1').value;//alert('input length: '+ txt.length);document.getElementById('out1').innerHTML = 'length: '+ txt.length;document.getElementById('out2').innerHTML = txt;}</script></head><body><p>Input the script <script>alert('hi');</script></p><input type="text" id="in1" placeholder="inject script here"/><input type="button" id="btn1" value="Enter"/><div id="out1"></div><div id="out2"></div></body></html> Edited October 13, 2013 by davej Link to comment Share on other sites More sharing options...
davej Posted October 14, 2013 Share Posted October 14, 2013 So far I have not been able to inject anything that would actually execute. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now