8

I have several text boxes in an ASP.NET Web Form. I want to ensure that users are not entering HTML into those text boxes. However, I'm not sure how to prevent HTML from being entered. Because of this, I decided that I want to only allow alphanumeric characters, spaces, exclamation point, sharp sign, dollar signs, percentage signs, carets, stars, and left and right parenthesis. I'm omitting the ampersand because I do not want them entering something like "<script&rt;..."

How do I do this? Am I doing it the right way?

Thank you!

Improve this question
1
  • Whatever method you choose, make sure that you validate your input both on the client and the server - client validation can be easily bypassed with a javascript debugger. Commented Sep 2, 2010 at 20:23

4 Answers 4

Reset to default
1

Have a look here http://msdn.microsoft.com/en-us/library/ff649310.aspx

You can put a blanket statement in the web config ValidateRequest = true will check all user input and throw an error if a user inserts something with bad characters.

If you need to allow some html tags then you will need to roll your own.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

-1: I don't believe throwing errors/exceptions to users is a good practice. And ValidateRequest = true does not cover all forms of XSS prevention, if that is the intention.
@Caspar Kleijne can you provide some references to ValidateRequest not covering all forms of XSS? I'm curious to read about it. I figured that microsoft would do a better job at catching all cases of dangerous user input better than i/ or the average developer could rolling their own.
ValidateRequest covers only forms of XSS-preventing that are known at the release of a certain version of (ASP).NET. .Net is not updated regularly on production servers. So if the server runs ASP.NET 2.0 or 3.5 (very common) most modern forms of XSS are unknown thus ignored. So it is a line of defense, but a weak one.
1

The page will, by default, prevent users from posting HTML or script in textboxes or textareas. See MSDN

Improve this answer

Comments

1

I've used:

HttpUtility.HtmlEncode();

More info here.

Improve this answer

Comments

0

You can use a method to clean HTML codes from entry like:

public static string ClearHTML(string Str, Nullable<int> Character)
{
    string MetinTxtRegex = Regex.Replace(Str, "<(.|\n)+?>", " ");

    string MetinTxtSubStr = string.Empty;

    if (Character.HasValue)
    {
        if (MetinTxtRegex.Length > Character)
        {
            MetinTxtSubStr = MetinTxtRegex.Substring(0, Character.Value);
            MetinTxtSubStr = MetinTxtSubStr.Substring(0, MetinTxtSubStr.LastIndexOf(" ")) + "...";
        }
        else
        {
            MetinTxtSubStr = MetinTxtRegex;
        }
    }
    else
    {
        MetinTxtSubStr = MetinTxtRegex;
    }
    return MetinTxtSubStr;
}
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.