I've got a free text form for people to submit feedback/support requests. Occasionally people will past in a support ticket or error log that contains something that triggers the .NET page validator as an XSS attempt. This takes the user to the error page as if the site cho开发者_JAVA百科ked on their input.
Preferably, I'd rather have the page do some client-side validation when they press the save button before it's actually submitted.
Is there a regex or some method I can hook into that would do the same basic check on the client side, or will I just have to write a regex that disallows certain characters all together like <
and >
?
.NET 4.0's internal CrossSiteScriptingValidation uses the IsDangerousString method to match on these conditions:
If the only occurrence of < or & is at the end of the post data, then it's safe. If < is followed by a-z, A-Z, /, ?, or ! then it's unsafe. If & is followed by a #(octothorpe!) then it's unsafe.
This regex in javascript should work:
/^(?!(.|\n)*<[a-z!\/?])(?!(.|\n)*&#)(.|\n)*$/i
精彩评论