5 Replies - 1142 Views - Last Post: 26 June 2014 - 11:08 PM Rate Topic: -----

#1 November-06  Icon User is offline

  • D.I.C Regular

Reputation: 46
  • View blog
  • Posts: 391
  • Joined: 04-January 11

Validating script tags and other javascript

Posted 19 June 2014 - 02:53 AM

Hi. I am creating a vulnerable site.

I set the ValidateRequest to "false" for some pages to allow users to enter some javascript codes.

I want to detect that:
- The User is entering javascript codes
- The user is entering correct javascript (syntax would be checked to determine if script execution will product error or not)

This validation will be done in the code behind to check that the user is doing things correctly.

I am thinking of using regular expressions to validate the format. But whether the javascript will throw an error or not besides syntax error, can I detect that? Any tips on how should I do the validation or on how to approach this requirement?

Is This A Good Question/Topic? 0
  • +

Replies To: Validating script tags and other javascript

#2 November-06  Icon User is offline

  • D.I.C Regular

Reputation: 46
  • View blog
  • Posts: 391
  • Joined: 04-January 11

Re: Validating script tags and other javascript

Posted 20 June 2014 - 01:50 AM

What I have done so far is to validate the input using a regular expression that follows the pattern:

<script>alert('some text here');</script>

But what if the user uses a different approach. Like:

<script>var a='some text here';alert(a);</script>

Is regex still the technology to use in this case? I have to make sure that the variable declared is the same variable used inside the alert().
Was This Post Helpful? 0
  • +
  • -

#3 trevster344  Icon User is offline

  • The Peasant
  • member icon

Reputation: 224
  • View blog
  • Posts: 1,505
  • Joined: 16-March 11

Re: Validating script tags and other javascript

Posted 20 June 2014 - 09:41 PM

I would think you could detect that with Regex in any case, it has both Lazy and Greedy abilities. If anyone else thinks otherwise I'd really like to know as well.
Was This Post Helpful? 1
  • +
  • -

#4 November-06  Icon User is offline

  • D.I.C Regular

Reputation: 46
  • View blog
  • Posts: 391
  • Joined: 04-January 11

Re: Validating script tags and other javascript

Posted 23 June 2014 - 04:26 AM

Thanks, trevster. I didn't know about the lazy and the greedy abilities of regex before. Doing further research on this matter, I learn that I may be able to achieve this with regex backreference.
Was This Post Helpful? 1
  • +
  • -

#5 trevster344  Icon User is offline

  • The Peasant
  • member icon

Reputation: 224
  • View blog
  • Posts: 1,505
  • Joined: 16-March 11

Re: Validating script tags and other javascript

Posted 24 June 2014 - 09:17 AM

Awesome November-06. Hope you figure it all out! I personally just started learning last week. No more old fashioned string parsing for me.
Was This Post Helpful? 0
  • +
  • -

#6 November-06  Icon User is offline

  • D.I.C Regular

Reputation: 46
  • View blog
  • Posts: 391
  • Joined: 04-January 11

Re: Validating script tags and other javascript

Posted 26 June 2014 - 11:08 PM

I created a simple program that checks if a string matches a regex pattern. It's basically my regex playground in case I need to play with complex patterns.

It's just a simple textbox for the pattern and another textbox for the string. A label shows "Matching" or "Not Matching" after button click.

Playing around in my little playground, I can't seem to find a solution for my new regex problem.

For example, I have this:
var a1='hi '; var b2='username';alert(a1 + b2);


Using backreferences, I can call variables a1 & b2 again in the alert.

But what do I do about the declaration of the second variable(b2 variable)? I need a variable that is composed of letters, numbers, or underscore that does not have special characters (following the rule of a variable). So I have...

[A-Za-z_][A-Za-z0-9_]*

At the same time, the second variable should not be equal to the first variable. This is where I'm stuck.

I need a logic AND. Some references say I can achieve this with (?=pattern)

I need to say that it should not be equal to the first variable.

[^\1] doesn't work. It seems that backreference doesn't work inside brackets.

Character class subtraction doesn't seem to help either.

Could someone guide me on how to achieve this?

This post has been edited by November-06: 26 June 2014 - 11:15 PM

Was This Post Helpful? 0
  • +
  • -

Page 1 of 1