Scrubbing user input

John_Mc

Hi,

I have a method in my base classes that scrubs the text entered by users of malicious characters/words for security reasons. It takes in the input text with an integer value specifying how many characters it should be, and returns the clean text.

For the most part, this works well, however there are a few fields that require the user to be allowed to enter rich text and html. I'm concious that this is a a vulnerability in my system and it's something I'd like to address.

My current method strips out charecters using the regular expression:

 sOutput = Regex.Replace(sInput, "[\\s]{2,}", "");
                sOutput = Regex.Replace(sOutput, "(<[b|B][r|R]/*>)+|(<[p|P](.|\\n)*?>)", "");
                sOutput = Regex.Replace(sOutput, "(\\s*&[n|N][b|B][s|S][p|P];\\s*)+", " ");
                sOutput = Regex.Replace(sOutput, "<(.|\\n)*?>", "");

This removes characters such as "<>" which make it unusable in situations where HTML input is allowed. Can anyone recommend a solution to this?

Another problem is the ' character. I was originally wrapping this in '' but the text was incorrect when displaying from the DB. I'm also concious that ' can be used in SQL injection attacks, so how do you handle this?

Thanks very much for any suggestions and advice,
John

Ginger

You can sort of cheat and use HtmlEncode on the string on output meaning that anything that is put in dodgy will come out as plain text.

John_Mc

Ginger wrote: »

You can sort of cheat and use HtmlEncode on the string on output meaning that anything that is put in dodgy will come out as plain text.

Perfect, will give this a go. Thanks

nialo

remember when you use this you have to also do the reverse to actually read out the data or else it will just print to the screen as html encoded text..