Disabling SS Scripting on submit

  • Thread starter Holden Caulfield
  • Start date
H

Holden Caulfield

I was hired to make a Content Management System for a computer
consulting group, and it is almost done. It allows registered users
to submit code that is dynamically inserted into the Live website. It
works, BUT!

I only want CLIENT-SIDE code to be allowed for submission.

Can you give me some ideas as to what I should DIS-allow on submit?
First I will parse the submission using Javascript, and then I will
re-parse with ASP before I allow stuff to be inserted.

Here is my "lack List"so far... Disallow:

1. <%
2. %>
3. HTMLEncode
4. runat

Do you have some other ideas? I am sure other Server-Side scripting
technologies (like PHP and PERL) must use there own ways of doing
stuff, and I bet even in ASP I am forgetting a couple things...

Any help is appreciated.

Thanks,
Holden
PS: The "HTMLEncode" is for stuff like this:
Server.HTMLEncode( string )
PPS: The "runat" is to disallow stuff like this:
<script language="vbscript" runat="server">
 
A

Aaron Bertrand - MVP

What does "dynamically inserted" mean? Do you inject this code directly
into a static ASP file? If you store it in a database and retrieve it at
run time, or insert it into an HTML code, it should work fine, and just be
ignored.
 
H

Holden Caulfield

Thanks for the replies. By "dynamically inserted" I just mean that
users can edit the live site.

I can see why items 1, 2, and 4 would be disallowed... but why HTMLEncode?
HTMLEncode is part of the Server object... if you are not allowing <% then
HTMLEncode could never be executed, so this is redundant.
Click to expand...

Point taken, Thanks!
You might consider disallowing server side include tags as well, though I'm
not sure how easy or difficult that would be. And perhaps "<?", "?>", and
Click to expand...

The SS Includes is a great idea! Thanks. And the delimiters ("<?",
"?>") are great too, although I am unfamiliar with them...
I guess it depends on how much control you want them to have. For example,
could they include </html> in their text, thus ending the page prematurely?
Click to expand...

I want to allow ANY client-side code, even if it is dumb. I want to
eliminate ALL server-side code.

Thanks for the ideas! Anyone else have anything to add?

Holden
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Newbie, submit form error on postback 2
Webprogr: Link with automatic submit 2
ASP:HyperLink control and client-side scripting 4
CfP: Workshop on Scripting for the Semantic Web 0
[ANN] Workshop on Scripting for the Semantic Web 1
Help with Remote Scripting on Safari 1
ASP Newbie question 6
Newbie Question About Submitting Forms 4

Members online

No members online now.
Total: 321 (members: 1, guests: 320)
Robots: 488

Forum statistics

Threads
474,431
Messages
2,571,678
Members
48,796
Latest member
Greg L.

Latest Threads

Top