Advertisement
Help Keep Boards Alive. Support us by going ad free today. See here: https://subscriptions.boards.ie/.
If we do not hit our goal we will be forced to close the site.

Current status: https://keepboardsalive.com/

Annual subs are best for most impact. If you are still undecided on going Ad Free - you can also donate using the Paypal Donate option. All contribution helps. Thank you.
https://www.boards.ie/group/1878-subscribers-forum

Private Group for paid up members of Boards.ie. Join the club.

Scrubbing user input

  • 12-09-2009 07:29PM
    #1
    Registered Users, Registered Users 2 Posts: 2,793 ✭✭✭


    Hi,

    I have a method in my base classes that scrubs the text entered by users of malicious characters/words for security reasons. It takes in the input text with an integer value specifying how many characters it should be, and returns the clean text.

    For the most part, this works well, however there are a few fields that require the user to be allowed to enter rich text and html. I'm concious that this is a a vulnerability in my system and it's something I'd like to address.

    My current method strips out charecters using the regular expression:
     sOutput = Regex.Replace(sInput, "[\\s]{2,}", "");
                    sOutput = Regex.Replace(sOutput, "(<[b|B][r|R]/*>)+|(<[p|P](.|\\n)*?>)", "");
                    sOutput = Regex.Replace(sOutput, "(\\s*&[n|N][b|B][s|S][p|P];\\s*)+", " ");
                    sOutput = Regex.Replace(sOutput, "<(.|\\n)*?>", "");
    

    This removes characters such as "<>" which make it unusable in situations where HTML input is allowed. Can anyone recommend a solution to this?

    Another problem is the ' character. I was originally wrapping this in '' but the text was incorrect when displaying from the DB. I'm also concious that ' can be used in SQL injection attacks, so how do you handle this?

    Thanks very much for any suggestions and advice,
    John


Comments

  • Registered Users, Registered Users 2 Posts: 2,931 ✭✭✭Ginger


    You can sort of cheat and use HtmlEncode on the string on output meaning that anything that is put in dodgy will come out as plain text.


  • Registered Users, Registered Users 2 Posts: 2,793 ✭✭✭John_Mc


    Ginger wrote: »
    You can sort of cheat and use HtmlEncode on the string on output meaning that anything that is put in dodgy will come out as plain text.

    Perfect, will give this a go. Thanks :)


  • Registered Users, Registered Users 2 Posts: 610 ✭✭✭nialo


    remember when you use this you have to also do the reverse to actually read out the data or else it will just print to the screen as html encoded text..


Advertisement