posted on Wednesday, December 07, 2005 8:34 PM
by
thomasswilliams
Regular Expression to Prevent Users Entering Malicious (HTML) Form Data
Cross-site scripting (XSS) is a problem that ASP.NET helps you deal with by not allowing any "malicious" (I'm interpreting this as HTML tags, whether it's <0BJECT> or <i>) input in the Request object, by default. This behaviour can be switched off by setting the "ValidateRequest" Page directive to "false" and you can do your own validation à la Peter van Ooijen's "Protecting an ASP.NET page against malicious input with ValidateRequest (A potentially dangerous Request.Form value was detected)" post.
In my case I left the default setting on - I'm not good enough to catch all possible vectors of attack - but used a RegularExpressionValidator validation control, with a regular expression of "^[^<>]+$" (without the quotes) to detect if there are any angle brackets in the field. For later-version browsers, the validation controls are rendered as client-side Javascript which could possibly be bypassed, but that doesn't worry me because ASP.NET also handles the problem server-side and if malicious text did make it to the server, a System.Web.HttpRequestValidationException exception is raised which I handle through my error page.
The validation control merely forewarns the user and in my mind is enough to prevent accidental or curious users from entering HTML tags in free-text data entry fields.
Note: I figured out the regex using http://www.regular-expressions.info/reference.html - the regex matches strings from start to end (the first ^ character and closing dollar sign) where there are no occurences of the characters in the square brackets. Initially I thought that the angle bracket characters would need to be escaped, but they don't.