1

I have a web site where users allowed to enter javascript in order to comute some values. This script can be random and gets executed on serer side. I would like to perform some sort of validation in order to limit it only to "safe" functionality.

What I have came up so far is 1. Limit to single line of code, no \r\n allowed. 2. Do not allow "http", "//", "\", "include", "require" to appear

What else should I check in order to prevent crooks from executing random stuff on my backend?

Thank you.

Evgeny.

Evgeny
  • 181
  • 2
  • 8
  • `"h" + "ttp:" + "/" + "/"` – Quentin Aug 22 '15 at 09:13
  • 2
    A blacklist will *never* be secure. If your requirements are simple, consider using one of the multitude of custom language parsers available, where you can explicitly define what the language is allowed to do. – Dave Aug 22 '15 at 09:14
  • Right... Main purpose is math. so maybe I can whitelist it instead to Math operations and conversions.. – Evgeny Aug 22 '15 at 09:17
  • Whitelisting is better, but if you just need maths that's even more reason to use a specially-designed parser. You can get maths out-of-the-box in most of them. https://www.google.co.uk/?q=javascript+math+parser – Dave Aug 22 '15 at 09:19
  • Ok, backend is .NET, do you know any good ones? – Evgeny Aug 22 '15 at 09:21
  • Sorry, SO isn't for particular recommendations. But you can't go far wrong. Just try one or two. ".net math parser" are your keywords. – Dave Aug 22 '15 at 09:24
  • I found this one http://www.lundin.info/mathparser which does what I need. Thank for ideas – Evgeny Aug 22 '15 at 09:26

0 Answers0