| Author |
 Topic  |
|
|
proxysource
Starting Member
USA
19 Posts |
 Posted - 25 September 2000 : 02:22:46
|
I've added some code to FormatStr function in inc_functions.asp to disable some of the more potentially dangerous HTML/ASP tags. This might be useful if you want to turn HTML on without allowing folks to post harmful scripts, etc. to your forum.
I've listed the code below. Can anyone think of anything that ought to be added?
fString = replace(fString, "&","&", 1, -1, 1)
fString = replace(fString, ">",">", 1, -1, 1)
fString = replace(fString, "<","<", 1, -1, 1)
fString = replace(fString, "<script","<script", 1, -1, 1)
fString = replace(fString, "</script","</script", 1, -1, 1)
fString = replace(fString, "<!--#INCLUDE","<!--#INCLUDE", 1, -1, 1)
fString = replace(fString, "<object","<object", 1, -1, 1)
fString = replace(fString, "</object","</object", 1, -1, 1)
fString = replace(fString, "<iframe","<iframe", 1, -1, 1)
fString = replace(fString, "</iframe","</iframe", 1, -1, 1)
fString = replace(fString, "<applet","<applet", 1, -1, 1)
fString = replace(fString, "</applet","</applet", 1, -1, 1)
fString = replace(fString, "<embed","<embed", 1, -1, 1)
fString = replace(fString, "</embed","</embed", 1, -1, 1)
fString = replace(fString, " on"," on", 1, -1, 1)
fString = replace(fString, " On"," On", 1, -1, 1)
fString = replace(fString, " oN"," oN", 1, -1, 1)
fString = replace(fString, " ON"," ON", 1, -1, 1)
fString = replace(fString, "%","%", 1, -1, 1)
fString = replace(fString, """javascript",""javascript", 1, -1, 1)
fString = replace(fString, """Javascript",""Javascript", 1, -1, 1)
fString = replace(fString, """JAVASCRIPT",""JAVASCRIPT", 1, -1, 1)
_______________________
Dave Rosen
ProxySource.com
www.proxysource.com
Edited by - proxysource on 25 September 2000 02:24:12 |
|
|
gor
Retired Admin
Netherlands
5511 Posts |
Posted - 25 September 2000 : 02:53:51
|
Hmm, this was something to be looked at anyhow, I've been reading reports about HTMLEncode not handling different charactersets the right way and replacing it with this is sometimes said to be an option.
As to what needs to be added, ofcourse you also should put the reverse code in CleanCode() so the user sees the original code again when editing.
He/she might just be supplying a harmless listing of some HTML/ASP code as a response to a question and shouldn't have to care about how it is the application makes sure it is harmless code.
<b>Pierre Gorissen</b>
<font color=blue><font size=1>Sometimes it is more important to discover what one cannot do, than what one can do.</font id=blue></font id=size1>
<font size=1><font color=black><b>Lin Yutang</b></font id=size1></font id=black> |
 |
|
|
proxysource
Starting Member
USA
19 Posts |
Posted - 25 September 2000 : 17:44:42
|
Good point about the CleanCode().
Of course, when HTML is on, there is a problem with folks that want to post HTML code as part of a response, rather than something to interpreted by the browser. I've added a feature to my forum where members can add a plain text box (using the <textarea></textarea> tags) in which code can be written without being interpreted.
_______________________
Dave Rosen
ProxySource.com
www.proxysource.com |
|
|
| |
Topic |
|
|
|
Topic Locked
