Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Scrubbing user input

  • 12-09-2009 6:29pm
    #1
    Registered Users, Registered Users 2 Posts: 2,793 ✭✭✭


    Hi,

    I have a method in my base classes that scrubs the text entered by users of malicious characters/words for security reasons. It takes in the input text with an integer value specifying how many characters it should be, and returns the clean text.

    For the most part, this works well, however there are a few fields that require the user to be allowed to enter rich text and html. I'm concious that this is a a vulnerability in my system and it's something I'd like to address.

    My current method strips out charecters using the regular expression:
     sOutput = Regex.Replace(sInput, "[\\s]{2,}", "");
                    sOutput = Regex.Replace(sOutput, "(<[b|B][r|R]/*>)+|(<[p|P](.|\\n)*?>)", "");
                    sOutput = Regex.Replace(sOutput, "(\\s*&[n|N][b|B][s|S][p|P];\\s*)+", " ");
                    sOutput = Regex.Replace(sOutput, "<(.|\\n)*?>", "");
    

    This removes characters such as "<>" which make it unusable in situations where HTML input is allowed. Can anyone recommend a solution to this?

    Another problem is the ' character. I was originally wrapping this in '' but the text was incorrect when displaying from the DB. I'm also concious that ' can be used in SQL injection attacks, so how do you handle this?

    Thanks very much for any suggestions and advice,
    John


Comments

  • Registered Users, Registered Users 2 Posts: 2,931 ✭✭✭Ginger


    You can sort of cheat and use HtmlEncode on the string on output meaning that anything that is put in dodgy will come out as plain text.


  • Registered Users, Registered Users 2 Posts: 2,793 ✭✭✭John_Mc


    Ginger wrote: »
    You can sort of cheat and use HtmlEncode on the string on output meaning that anything that is put in dodgy will come out as plain text.

    Perfect, will give this a go. Thanks :)


  • Registered Users, Registered Users 2 Posts: 610 ✭✭✭nialo


    remember when you use this you have to also do the reverse to actually read out the data or else it will just print to the screen as html encoded text..


Advertisement