RegEx for XSS (Cross-Site Scripting)?

C

clintonG

Trying to use the RegularExpressionValidator with the following
expression [^0-9a-zA-Z] which functions well when using code
with the System.Text.RegularExpressions class but the same
expression will not function when used with the
RegularExpressionValidator leaving me wondering "what?"

The expression 'negates' any entry but those alphanumeric
characters 0-9, a-z and A-Z thus I assume this expression
would be sufficient to disallow XSS exploits noting as a matter
of practice I will also continue to use Server.HtmlEncode.

Comments regarding the dysfunction of the expression when used
with the RegularExpressionValidator and 'your' methodology to
prevent XSS exploits will be appreciated.
 
C

clintonG

Thank you for responding Peter. I'll work with the revised expression
and will certainly avail myself of your work as you referred.

<%= Clinton Gallagher


Peter Blum said:
Your expression should be enclosed in ^ and $ symbols so that every
character must be in this set. In addition, the use of negation is
incorrect. You want the validator to report an error when anything outside
of the letter or digit character set is given. You have indicated that only
these characters are illegal.
Here's a reworked expression:
^[0-9a-zA-Z]*$

Since you are attempting to improve your site's security, please be aware
that there is a new product for ASP.NET sites to protect against XSS, SQL
injection, Input Tampering, and Brute Force Input attacks. I am the author.
It is "Visual Input Security" (http://www.peterblum.com/vise/home.aspx).

--- Peter Blum
www.PeterBlum.com
Email: (e-mail address removed)
Creator of "Professional Validation And More" at
http://www.peterblum.com/vam/home.aspx

clintonG said:
Trying to use the RegularExpressionValidator with the following
expression [^0-9a-zA-Z] which functions well when using code
with the System.Text.RegularExpressions class but the same
expression will not function when used with the
RegularExpressionValidator leaving me wondering "what?"

The expression 'negates' any entry but those alphanumeric
characters 0-9, a-z and A-Z thus I assume this expression
would be sufficient to disallow XSS exploits noting as a matter
of practice I will also continue to use Server.HtmlEncode.

Comments regarding the dysfunction of the expression when used
with the RegularExpressionValidator and 'your' methodology to
prevent XSS exploits will be appreciated.

--
<%= Clinton Gallagher, "Twice the Results -- Half the Cost"
Architectural & e-Business Consulting -- Software Development
NET (e-mail address removed)
URL http://www.metromilwaukee.com/clintongallagher/
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

So called cross-site (XSS) vulnerabilities: a new fraud or a stupidme? 1
Validating Request.Params[] values for cross site scripting 3
Ruby, Web Apps and Cross Site Scripting 2
Filter user entered Html for possible Cross Site Scripting attacks 0
regex question 4
Alpha Regex validation 7
quest for cross-platform static assert 18
Cross Domain (Friendly) Frame Scripting on IE 7 2

Members online

Total: 38 (members: 3, guests: 35)
Robots: 418

Forum statistics

Threads
473,768
Messages
2,569,575
Members
45,052
Latest member
KetoBeez

Latest Threads

Top