Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

XSS - Javascript Injection Into Form Input Boxes

Status
Not open for further replies.
Krus1972

Krus1972

Programmer
Mar 18, 2004
145
US
I have a standard HTML form that has one keyword input box with a button. I am inserting the following into the input box and clicking submit:
<IMG """><SCRIPT>alert("XSS")</SCRIPT>

I recieve a message from my browser saying "XSS" and the form remains to be messed up unless I refresh the webpage.

Can someone help me with a few lines of javascript that will prevent this from happening? I am trying to prevent any form of script to be entered in the form input box and causing funny things to happen. Only text keywords are allowed.

Thank You.
 
Sort by date Sort by votes
Code: 
<input type="text" onblur="this.value = this.value.replace(/(<([^>]+)>)/ig,'');" />

of course, do a check on the server side as well, just in case the user has JS disabled.


--------

GOOGLE is a great resource to find answers to questions like "how do i..."


--------
 
Upvote 0 Downvote
vicvirk:

I've tried your snippet in several different ways with no success. Am I supposed to substitue "this.value" with something else? Below is my form with input tags:


<head>
function submittab2(){

parent.fshoppingtabs.tab2.target = "shoppingframe";
parent.fshoppingtabs.tab2.action ="/Auctions/fgetsearchresults2.asp";
parent.fshoppingtabs.tab2.submit();

parent.fshoppingtabs.tab2.target = "fshoppingtabs";
parent.fshoppingtabs.tab2.action ="/fshoppingTABS.asp";
parent.fshoppingtabs.tab2.submit();

</head>

<form name="tab2">
  

<input type="text" size="30" name="keywords" value="<%=keywords%>">  

<input onclick="submittab2()" type="submit" value="Update" name="shopping">  

<input type="hidden" name="tab" value="2">

</form>

How do I place your "onblur" javascript snippet into this and make it work?
My knowledge of Javascript is very little as I am an ASP, HTML, CSS programmer.

Thanks so much for your help.
 
Upvote 0 Downvote
Code: 
<input type="text" size="30" name="keywords" value="<%=keywords%>" onblur="this.value = this.value.replace(/(<([^>]+)>)/ig,'');">

^ exactly as it is written above.




--------

GOOGLE is a great resource to find answers to questions like "how do i..."


--------
 
Upvote 0 Downvote
vicvirk

Is it possible to make it so that the browser will not even submit the form if any of these chrachters are used and opens an alert box telling the vistor that these charachters are not acceptable? If you notice in the above script I am using javascript to submit the form to two different frames at once and it would be nice that the browser just doesn;t submit the form at all if any of these charachters are used.

Thank you so much for your help. If you need any ASP help, hit me up.

Jeff
 
Upvote 0 Downvote
Hi

Unless /Auctions/fgetsearchresults2.asp returns HTTP response code 204, I would not expect your double submitting to work.
Code: 
[b]function[/b] [COLOR=darkgoldenrod]submittab2[/color][teal]()[/teal]
[teal]{[/teal]
  [highlight][b]if[/b] [teal]([/teal]parent[teal].[/teal]fshoppingtabs[teal].[/teal]tab2[teal].[/teal]keywords[teal].[/teal][COLOR=darkgoldenrod]match[/color][teal]([/teal][fuchsia]/<[^>]+>/[/fuchsia][teal]))[/teal] [teal]{[/teal][/highlight]
    [highlight][COLOR=darkgoldenrod]alert[/color][teal]([/teal][green][i]'Illegal characters found'[/i][/green][teal]);[/teal][/highlight]
    [highlight][b]return[/b] [b]false[/b][teal];[/teal][/highlight]
  [highlight][teal]}[/teal][/highlight]

  parent[teal].[/teal]fshoppingtabs[teal].[/teal]tab2[teal].[/teal]target [teal]=[/teal] [green][i]"shoppingframe"[/i][/green][teal];[/teal]
  parent[teal].[/teal]fshoppingtabs[teal].[/teal]tab2[teal].[/teal]action [teal]=[/teal][green][i]"/Auctions/fgetsearchresults2.asp"[/i][/green][teal];[/teal]
  parent[teal].[/teal]fshoppingtabs[teal].[/teal]tab2[teal].[/teal][COLOR=darkgoldenrod]submit[/color][teal]();[/teal]

  parent[teal].[/teal]fshoppingtabs[teal].[/teal]tab2[teal].[/teal]target [teal]=[/teal] [green][i]"fshoppingtabs"[/i][/green][teal];[/teal]
  parent[teal].[/teal]fshoppingtabs[teal].[/teal]tab2[teal].[/teal]action [teal]=[/teal][green][i]"/fshoppingTABS.asp"[/i][/green][teal];[/teal]
  parent[teal].[/teal]fshoppingtabs[teal].[/teal]tab2[teal].[/teal][COLOR=darkgoldenrod]submit[/color][teal]();[/teal]
[teal]}[/teal]
Next time please post your code between [tt][ignore]
Code: 
[/ignore][/tt] and [tt][ignore]
[/ignore][/tt] TGML tags. And make sure you post valid code.

Feherke.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

lexer
  • Locked
  • Question
Passing fields from (html-JavaScript) table to JavaScript Function
Replies
0
Views
324
lexer
lexer
Mike Lewis
  • Locked
  • Question
Anyone here got any experience of Grid.JS (a sortable Javascript grid) 1
Replies
5
Views
740
Mike Lewis
Mike Lewis
JScannell
  • Locked
  • Question
Javascript events
Replies
1
Views
169
Daniel K
Daniel K
JScannell
  • Locked
  • Question
Javascript issue on iPhone/iMac platforms
Replies
0
Views
300
JScannell
JScannell
JScannell
  • Locked
  • Question
Google Chrome doesn't load my javascript files
Replies
1
Views
263
JScannell
JScannell

Part and Inventory Search

Sponsor

Back
Top