List Info

Thread: RE: Scrubbing user inputs
RE: Scrubbing user inputs
country flaguser name
United States		 2008-07-18 11:05:27 

  


  

    

Client-side could be a challenge. There's probably some 
Javascript that will do it. 


 



But I never trust Javascript as my only line of defense. 
What about something like a pre-insert, pre-update trigger that will look 
and see if 



  
if asciistr(comments) = comments&nbsp;then <do 
  something&gt;


and take the appropriate action from there -- either 
purifying the data or raising an error message.


 



Note also that open comment areas which will be displayed 
back to the user are a classic "cross-site scripting" vulnerability. Somebody 
puts a bunch of nasty Javascript into the comment area and it executes when 
someone else looks at the comment. So please make sure you're not allowing the 
entered comments to be rendered&nbsp;as HTML -- convert the &lt; to 
&lt; and so forth.



 



-- jim


James F. Hudson 
Wisconsin Department of Natural Resources 

Madison, WI 
(608) 267-0840 


 




  

  

  From: ml-errorsfatcity.com 
  [mailto:ml-errorsfatcity.com] On Behalf Of Monty 
  Latiolais
Sent: Friday, July 18, 2008 10:31 AM
To: 
  Multiple recipients of list ODTUG-WEBDEV-L
Subject: Scrubbing user 
  inputs


  

  

  
Hello 
  all,


  
 

  
I’ve built a simple html form 
  using the pl/sql web toolkit that has a place for the user to include 
  comments. 

  
It’s been in production for months 
  if not years.

  
 

  
Recently, we’ve experienced errors 
  related to the content of the comments 
and I’ve traced it to users cutting 
  and pasting content from MS Word directly into the web form comments 
  field.

  
Even that is fine except for when 
  the user attempts to paste in bullets.

  
 

  
I’ll have to handle this on the 
  client-side. Any ideas?

  
 

  
 

  
Regards,

  
 

  
Monty 
  

  

  
  
   
     
    






 [1]











   
 





about | contact  Other archives ( Real Estate discussion Medical topics )