RegEx for XSS (Cross-Site Scripting)?

Discussion in 'ASP .Net Security' started by clintonG, Sep 8, 2004.

  1. clintonG

    clintonG Guest

    Trying to use the RegularExpressionValidator with the following
    expression [^0-9a-zA-Z] which functions well when using code
    with the System.Text.RegularExpressions class but the same
    expression will not function when used with the
    RegularExpressionValidator leaving me wondering "what?"

    The expression 'negates' any entry but those alphanumeric
    characters 0-9, a-z and A-Z thus I assume this expression
    would be sufficient to disallow XSS exploits noting as a matter
    of practice I will also continue to use Server.HtmlEncode.

    Comments regarding the dysfunction of the expression when used
    with the RegularExpressionValidator and 'your' methodology to
    prevent XSS exploits will be appreciated.

    --
    <%= Clinton Gallagher, "Twice the Results -- Half the Cost"
    Architectural & e-Business Consulting -- Software Development
    NET
    URL http://www.metromilwaukee.com/clintongallagher/
    clintonG, Sep 8, 2004
    #1
    1. Advertising

  2. clintonG

    clintonG Guest

    Thank you for responding Peter. I'll work with the revised expression
    and will certainly avail myself of your work as you referred.

    <%= Clinton Gallagher


    "Peter Blum" <> wrote in message
    news:ec%23$...
    > Your expression should be enclosed in ^ and $ symbols so that every
    > character must be in this set. In addition, the use of negation is
    > incorrect. You want the validator to report an error when anything outside
    > of the letter or digit character set is given. You have indicated that

    only
    > these characters are illegal.
    > Here's a reworked expression:
    > ^[0-9a-zA-Z]*$
    >
    > Since you are attempting to improve your site's security, please be aware
    > that there is a new product for ASP.NET sites to protect against XSS, SQL
    > injection, Input Tampering, and Brute Force Input attacks. I am the

    author.
    > It is "Visual Input Security" (http://www.peterblum.com/vise/home.aspx).
    >
    > --- Peter Blum
    > www.PeterBlum.com
    > Email:
    > Creator of "Professional Validation And More" at
    > http://www.peterblum.com/vam/home.aspx
    >
    > "clintonG" <> wrote in message
    > news:...
    > > Trying to use the RegularExpressionValidator with the following
    > > expression [^0-9a-zA-Z] which functions well when using code
    > > with the System.Text.RegularExpressions class but the same
    > > expression will not function when used with the
    > > RegularExpressionValidator leaving me wondering "what?"
    > >
    > > The expression 'negates' any entry but those alphanumeric
    > > characters 0-9, a-z and A-Z thus I assume this expression
    > > would be sufficient to disallow XSS exploits noting as a matter
    > > of practice I will also continue to use Server.HtmlEncode.
    > >
    > > Comments regarding the dysfunction of the expression when used
    > > with the RegularExpressionValidator and 'your' methodology to
    > > prevent XSS exploits will be appreciated.
    > >
    > > --
    > > <%= Clinton Gallagher, "Twice the Results -- Half the Cost"
    > > Architectural & e-Business Consulting -- Software Development
    > > NET
    > > URL http://www.metromilwaukee.com/clintongallagher/
    > >
    > >

    >
    >
    clintonG, Sep 10, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Scott M.

    Cross-Site Scripting...

    Scott M., Dec 22, 2003, in forum: ASP .Net
    Replies:
    7
    Views:
    3,386
    Steven Cheng[MSFT]
    Dec 24, 2003
  2. Earl Teigrob
    Replies:
    0
    Views:
    541
    Earl Teigrob
    Feb 18, 2004
  3. =?Utf-8?B?QnJhZCBRdWlubg==?=

    Cross site scripting

    =?Utf-8?B?QnJhZCBRdWlubg==?=, Apr 27, 2005, in forum: ASP .Net
    Replies:
    1
    Views:
    430
    Brock Allen
    Apr 28, 2005
  4. Replies:
    3
    Views:
    776
    Lee Harr
    Jun 16, 2006
  5. VK
    Replies:
    1
    Views:
    91
Loading...

Share This Page