StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PODoes this set of regular expressions FULLY protect against cross site scripting?
text
Body
copied!<p>What's an example of something dangerous that would not be caught by the code below?</p> <p>EDIT: After some of the comments I added another line, commented below. See Vinko's comment in David Grant's answer. So far only Vinko has answered the question, which asks for specific examples that would slip through this function. Vinko provided one, but I've edited the code to close that hole. If another of you can think of another specific example, you'll have my vote!</p> <pre><code>public static string strip_dangerous_tags(string text_with_tags) { string s = Regex.Replace(text_with_tags, @"<script", "<scrSAFEipt", RegexOptions.IgnoreCase); s = Regex.Replace(s, @"</script", "</scrSAFEipt", RegexOptions.IgnoreCase); s = Regex.Replace(s, @"<object", "</objSAFEct", RegexOptions.IgnoreCase); s = Regex.Replace(s, @"</object", "</obSAFEct", RegexOptions.IgnoreCase); // ADDED AFTER THIS QUESTION WAS POSTED s = Regex.Replace(s, @"javascript", "javaSAFEscript", RegexOptions.IgnoreCase); s = Regex.Replace(s, @"onabort", "onSAFEabort", RegexOptions.IgnoreCase); s = Regex.Replace(s, @"onblur", "onSAFEblur", RegexOptions.IgnoreCase); s = Regex.Replace(s, @"onchange", "onSAFEchange", RegexOptions.IgnoreCase); s = Regex.Replace(s, @"onclick", "onSAFEclick", RegexOptions.IgnoreCase); s = Regex.Replace(s, @"ondblclick", "onSAFEdblclick", RegexOptions.IgnoreCase); s = Regex.Replace(s, @"onerror", "onSAFEerror", RegexOptions.IgnoreCase); s = Regex.Replace(s, @"onfocus", "onSAFEfocus", RegexOptions.IgnoreCase); s = Regex.Replace(s, @"onkeydown", "onSAFEkeydown", RegexOptions.IgnoreCase); s = Regex.Replace(s, @"onkeypress", "onSAFEkeypress", RegexOptions.IgnoreCase); s = Regex.Replace(s, @"onkeyup", "onSAFEkeyup", RegexOptions.IgnoreCase); s = Regex.Replace(s, @"onload", "onSAFEload", RegexOptions.IgnoreCase); s = Regex.Replace(s, @"onmousedown", "onSAFEmousedown", RegexOptions.IgnoreCase); s = Regex.Replace(s, @"onmousemove", "onSAFEmousemove", RegexOptions.IgnoreCase); s = Regex.Replace(s, @"onmouseout", "onSAFEmouseout", RegexOptions.IgnoreCase); s = Regex.Replace(s, @"onmouseup", "onSAFEmouseup", RegexOptions.IgnoreCase); s = Regex.Replace(s, @"onmouseup", "onSAFEmouseup", RegexOptions.IgnoreCase); s = Regex.Replace(s, @"onreset", "onSAFEresetK", RegexOptions.IgnoreCase); s = Regex.Replace(s, @"onresize", "onSAFEresize", RegexOptions.IgnoreCase); s = Regex.Replace(s, @"onselect", "onSAFEselect", RegexOptions.IgnoreCase); s = Regex.Replace(s, @"onsubmit", "onSAFEsubmit", RegexOptions.IgnoreCase); s = Regex.Replace(s, @"onunload", "onSAFEunload", RegexOptions.IgnoreCase); return s; } </code></pre>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload