« Return to the blog entry
Hey there Jake. I've followed this entire series (lurk mode); and I've very much enjoyed it.
I was doing some testing, and even simple things like onmouseover="my malicious script" can get through without careful checking.
For normal (where HTML is not allowed) fields, the following input translation formula works very well:
@ReplaceSubstring(@Trim(@ThisValue); "<":">"; "<":">");
For fields where HTML IS allowed, I think the blacklist approach would ultimately prove unworkable. I think a whitelist approach is a much better idea.
Anyway, thanks for posting this very helpful series!
-Devin.
Hey there Jake. I've followed this entire series (lurk mode); and I've very much enjoyed it.
I was doing some testing, and even simple things like onmouseover="my malicious script" can get through without careful checking.
For normal (where HTML is not allowed) fields, the following input translation formula works very well:
@ReplaceSubstring(@Trim(@ThisValue); "<":">"; "<":">");
For fields where HTML IS allowed, I think the blacklist approach would ultimately prove unworkable. I think a whitelist approach is a much better idea.
Anyway, thanks for posting this very helpful series!
-Devin.