help stopping people putting scripts into form fields

help stopping people putting scripts into form fields

am 03.06.2007 14:53:49 von markrush

Hi there, im making a simple site where people can add comments into a
shoutbox. only ive had experience of people adding in html tags and
javascript to redirect people away from my site and display images etc
which im not interested in.

how do i stop this from happening? is there a way to intercept the
form contents and kick out the
code leaving plain text? or changing the code so it displays the real
code using < and > ?

many thanks
mark

Re: help stopping people putting scripts into form fields

am 03.06.2007 15:04:27 von reb01501

mark r wrote:
> Hi there, im making a simple site where people can add comments into a
> shoutbox. only ive had experience of people adding in html tags and
> javascript to redirect people away from my site and display images etc
> which im not interested in.
>
> how do i stop this from happening? is there a way to intercept the
> form contents and kick out the
> code leaving plain text?

While difficult, it is do-able. Some regular expressions for finding html
tags in strings have posted in this group in the past. A google search
should reveal them.

> or changing the code so it displays the real
> code using < and > ?
>
Use Server.HTMLEncode in your Response.Writes

--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"

Re: help stopping people putting scripts into form fields

am 03.06.2007 22:01:12 von markrush

On Jun 3, 2:04 pm, "Bob Barrows [MVP]"
wrote:
> mark r wrote:
> > Hi there, im making a simple site where people can add comments into a
> > shoutbox. only ive had experience of people adding in html tags and
> > javascript to redirect people away from my site and display images etc
> > which im not interested in.
>
> > how do i stop this from happening? is there a way to intercept the
> > form contents and kick out the
> > code leaving plain text?
>
> While difficult, it is do-able. Some regular expressions for finding html
> tags in strings have posted in this group in the past. A google search
> should reveal them.
>
> > or changing the code so it displays the real
> > code using < and > ?
>
> Use Server.HTMLEncode in your Response.Writes
>
> --
> Microsoft MVP - ASP/ASP.NET
> Please reply to the newsgroup. This email account is my spam trap so I
> don't check it very often. If you must reply off-line, then remove the
> "NO SPAM"

thanks for that... ive got it working :) now onto the next feature lol

mark