RegularExpression Validator Script Html block

Question

Does anyone know of a RegularExpression Validator or website thats stops script and html tags being used in TextBoxes and TextAreas

Updated:

public static string RegexReplace(string strin, string strExp, string strReplace)
    {
        return Regex.Replace(strin, strExp, strReplace);
    }

    public static string RemoveHTML(string strText)
    {
        return RegexReplace(strText, "<[^>]*>", string.Empty);
    }

score 1 · Accepted Answer · edited May 23 '17 at 12:29

1

You're not going to prevent a user from inputting data in an input. You "could" use javascript, but then the user "could" disable javascript and do what they want.

You need to sanitize on the server side AFTER the user submits the data.

Check out the Microsoft AntiXSS Library, and even MarkDownSharp can do this (even if you're not actually using Markdown). Alternatively there's always the HtmlAgilityPack to parse HTML for you.

HtmlAgilityPack

PM> Install-Package HtmlAgilityPack

MarkDownSharp

PM> Install-Package MarkdownSharp

AntiXss

PM> Install-Package AntiXSS

Do not, I repeat DO NOT parse html with regular expressions!!!!

edited May 23 '17 at 12:29

Community

1
1

answered Mar 03 '12 at 04:17

Chase Florell

46,378
57
186
376

Do you mean using OnServerValidate event on the Validator – ONYX Mar 03 '12 at 04:22
no, I mean you need to strip the volatile scripts... sanitize the input... sorry, I'm going to remove the "validate" portion. – Chase Florell Mar 03 '12 at 04:24
I've updated my post. Something like above would work? it doesn't say script but html instead maybe use for script what do you think – ONYX Mar 03 '12 at 04:30
- oh woops, that would be parsed out with your solution. – Chase Florell Mar 03 '12 at 04:34
at VERY least use the [HtmlAgilityPack](http://htmlagilitypack.codeplex.com/) instead of regex. – Chase Florell Mar 03 '12 at 04:35
I might stick with AntiXSS library, HtmlAgilityPack to me just varifies if its Html i need to look into that more. – ONYX Mar 03 '12 at 04:38
Actually, MarkDownSharp does not sanitize user data, it only translates MarkDown code. – Henrik Ripa Mar 14 '12 at 10:48

RegularExpression Validator Script Html block

1 Answers1