Regular expressions to prevent XSS or something else?

Question

I am trying to protect my website from Cross-Site Scripting (XSS) and I'm thinking of using regular expressions to validate user inputs.

Here is my question: I have a list of dangerous HTML tags...

<applet>
<body>
<embed>
<frame>
<script>
<frameset>
<html>
<iframe>
<img>
<style>
<layer>
<link>
<ilayer>
<meta>
<object>

...and I want to include them in regular expressions - is this possible? If not, what should I use? Do you have any ideas how to implement something like that?

Why are those inputs dangerous ? A string isn't dangerous, it's what you do with it which can be dangerous. So what do you do with the inputs ? — Denys Séguret, Mar 22 '13 at 19:26
Obligatory: http://stackoverflow.com/questions/1732348/regex-match-open-tags-except-xhtml-self-contained-tags — Chris Sinclair, Mar 22 '13 at 19:27
If `userInput` is String you can try something like `userInput = userInput.replace("<","<");` — Pshemo, Mar 22 '13 at 19:31

Shafqat · Answer 1 · 2015-05-07T18:11:47.677

    public static bool ValidateAntiXSS(string inputParameter)
    {
        if (string.IsNullOrEmpty(inputParameter))
            return true;

        // Following regex convers all the js events and html tags mentioned in followng links.
        //https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet                 
        //https://msdn.microsoft.com/en-us/library/ff649310.aspx

        var pattren = new StringBuilder();

        //Checks any js events i.e. onKeyUp(), onBlur(), alerts and custom js functions etc.             
        pattren.Append(@"((alert|on\w+|function\s+\w+)\s*\(\s*(['+\d\w](,?\s*['+\d\w]*)*)*\s*\))");

        //Checks any html tags i.e. <script, <embed, <object etc.
        pattren.Append(@"|(<(script|iframe|embed|frame|frameset|object|img|applet|body|html|style|layer|link|ilayer|meta|bgsound))");

        return !Regex.IsMatch(System.Web.HttpUtility.UrlDecode(inputParameter), pattren.ToString(), RegexOptions.IgnoreCase | RegexOptions.Compiled);
    }

Upvote for at least trying to do what the OP asked for! No idea if it works... ;) — Ian Grainger, Nov 03 '16 at 11:16

score 6 · Accepted Answer · answered Mar 22 '13 at 19:27

6

Please read over the OWASP XSS (Cross Site Scripting) Prevention Cheat Sheet for a broad array of information. Black listing tags is not a very efficient way to do it and will leave gaps. You should filter input, sanitize before outputting to browser, encode HTML entities, and various other techniques discussed in my link.

answered Mar 22 '13 at 19:27

Mark Stanislav

979
4
11

I use Ajax filtering and it will not allowed `<>~`!@#$%^&*()'` but i wanna be sure i did not missed anything – Andrey Mar 22 '13 at 19:32
You should be filtering/sanitizing/verifying data client AND server side, especially if you are going to be handling information going to a database. Stored XSS (persistent) can be a very, very bad thing. Even if you prevent form fields being filled out from "bad characters", I could still POST directly to your form to process. Handle things on both ends! – Mark Stanislav Mar 22 '13 at 19:35
So that means I have to do validation before insert on server side also. Thanx! – Andrey Mar 22 '13 at 19:37
@AndreyIvanov meh it's not about validation or sanitization at all, it's about escaping. Escaping means that you will retain exactly the same information that was given. If I post ` – Esailija Mar 22 '13 at 20:02
1

That's the HTML entities part of my answer. Further, that will not protect against all XSS attacks. Please don't comment on an answer if you're not contributing anything new or better to the answer. – Mark Stanislav Mar 22 '13 at 20:08

score 5 · Answer 3 · answered Mar 22 '13 at 19:32

5

You should encode string as HTML. Use dotNET method

HttpUtils.HtmlEncode(string text)

There is more details http://msdn.microsoft.com/en-us/library/73z22y6h.aspx

answered Mar 22 '13 at 19:32

Jacek

11,661
23
69
123

+1 This is all one needs, it doesn't have to be more complicated than that. But the problem is of course the same as it is when not using parametrised queries - some developers are really good at forgetting to escape. So using a templating language like razor with autoescape is much better. – Esailija Mar 22 '13 at 19:49
I used only procedures in my project but still want to have protection from Cross-Site Scripting – Andrey Mar 22 '13 at 20:04
You will protected! After encoding your tags will be treat as usual data – Jacek Mar 22 '13 at 20:40

score 3 · Answer 4 · answered Mar 22 '13 at 19:55

3

Blacklisting as sanitization is not effective, as has already been discussed. Think about what happens to your blacklist when someone submits crafted input:

<SCRIPT>
<ScRiPt>
< S C R I P T >
<scr&#00ipt>
<scr<script>ipt> (did you apply the blacklist recursively ;-) )

This is not an enumeration of possible attacks, but just some examples to keep in mind about how the blacklist can be defeated. These will all render in the browser correctly.

answered Mar 22 '13 at 19:55

Freedom_Ben

11,247
10
69
89

I was asking before how to do this white and black list but did not get any answer, Can you share some links which can enplane how to do them? – Andrey Mar 22 '13 at 20:02
I don't know of any tutorials online, but the [Web Application Hacker's Handbook](http://www.amazon.com/Web-Application-Hackers-Handbook-Exploiting/dp/1118026470) is an excellent resource for web app security. It will teach you all about this subject and it is a fun read. – Freedom_Ben Mar 22 '13 at 20:08
1

Awesome! I don't have it with my but if I recall there is a good section in the first 3 chapters and then another good one around chapter 12-15 or something like that. Sorry about the lack of specificity... – Freedom_Ben Mar 22 '13 at 20:17

Regular expressions to prevent XSS or something else?

4 Answers4

Linked