0

My asp.net mvc application uses angujar js has following regular expression to block XSS data in the input fields.

^[^&<>\\\\\"'{}=#]*$

But the problem is, most of my customer data has & and # and it cannot be corrected. Please explain the best possible way to allow these two characters and still block XSS attacks.

EDIT 1 Can I try something like this, suppose if I allow & and # and add validation in such a way that only one & is allowed or only one # is allowed and either & or # are allowed but not both and restrict if these characters are more than once. I will place this validation on both client and server side. Is this a good approach ?

Improve this question
5
  • Where is this regular expression applied? Commented Jun 30, 2016 at 6:19
  • This is added in our code to throw the error when user enters these characters, its basically used in javascript for validation. Commented Jun 30, 2016 at 17:41
  • Client side input validation does not block XSS attacks. Unless you replicate that check on the asp.net side, you are still vulnerable regardless. Commented Jul 1, 2016 at 10:34
  • @Erlend I do also have a server side validation for this. Commented Jul 7, 2016 at 22:12
  • There really is no danger allowing any of those characters, as long as you do proper output encoding. Angular.js will do that for it's templates as long as you don't mix server side and client side templates (mentioned in the angular security doc). Templates should be static, and content should be delivered as JSON services. Most of the XSS vulnerabilities I have seen in angular apps, have been in those corner cases where this pattern is not followed Commented Jul 8, 2016 at 8:35

1 Answer 1

Reset to default
0

Best way to avoid this is not allowing # when entering new data. That means you can allow to display # by removing # from regular expression, but do not allow to type # by handling key press event of textbox.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Your point looks valid, I am displaying these characters in the UI now, but my requirement is to allow them to be sent back to the submitted in the form and sent back to database.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.