> I have never written a regular expression before, I am
> brand new to them. Could someone assist me with writing
> one that will check form fields for certain CF tags along
> with hazardous javascript. I would like to loop over the
> form.fieldnames list and then throw an error if a value
> contains unacceptable stuff.
Here's some code based on some of my own tags for sweeping text input
from forms:
<cfset problemFields="">
<cfloop index="field" list="#form.fieldnames#">
<cfscript>
fieldValue = StructFind(form, field);
// Check for CF tags
if (REFindNoCase("<cftag[^>]*>", fieldValue)) {
problemFields = ListAppend(problemFields, field);
}
// Check for JS
if (
REFindNoCase("<script[^>]*>", fieldValue) OR
REFindNoCase("&{[^}]*};", fieldValue) OR
REFindNoCase("=javascript:[^ >]*[ >]", fieldValue) OR
REFindNoCase("=""javascript:[^""]*""", fieldValue) OR
REFindNoCase("='javascript:[^']*'", fieldValue) OR
REFindNoCase("
+(onabort|onblur|onchange|onclick|ondblclick|ondragdrop|onerror|onfocus|
onhelp|onkeydown|onkeypress|onkeyup|onload|onmousedown|onmousemove|onmou
seout|onmouseover|onmouseup|onmove|onreset|onresize|onsubmit|onunload)="
"[^""]*""", fieldValue) OR
REFindNoCase("
+(onabort|onblur|onchange|onclick|ondblclick|ondragdrop|onerror|onfocus|
onhelp|onkeydown|onkeypress|onkeyup|onload|onmousedown|onmousemove|onmou
seout|onmouseover|onmouseup|onmove|onreset|onresize|onsubmit|onunload)='
[^']*'", fieldValue) OR
REFindNoCase("
+(onabort|onblur|onchange|onclick|ondblclick|ondragdrop|onerror|onfocus|
onhelp|onkeydown|onkeypress|onkeyup|onload|onmousedown|onmousemove|onmou
seout|onmouseover|onmouseup|onmove|onreset|onresize|onsubmit|onunload)=[
^ >]*[ >]", fieldValue) OR
) {
problemFields = ListAppend(problemFields, field);
}
</cfscript>
</cfloop>
Assume the loop and the building up of fields with 'problem' code is
pretty straightforward to you...
The first RegExp checks for CF tags. Obviously replace the "cftag" bit
with whatever tag you're checking for, and string Finds together with
ORs for multiple tags. The next bit in square brackets means "match zero
or more characters that aren't closing angle brackets". The square
brackets contain a range of characters to match, the carat inverts
things and says "match things that *aren't* between these square
brackets, and the asterisk just after does the "match zero or more" bit.
Then after that it should match a closing angle bracket. All this adds
up to matching a tag with any number of attributes.
"Hazardous" JS is kind of hard to test for, if you're trying to keep
"non-hazardous" stuff in. The only thing to do I think is check for any
JS. There's a number of tests:
- For <script> tags
- For 'JS entities' (an old NS3 thing I think)
- For JS pseudo-protocols (with varying types of quote marks - note that
double quotes are escaped)
- For event handlers (again with varying quote marks)
This code *should* (not tested!) return a list of fields with problem
code, if any.
A couple of things:
- Why not just strip these things out instead of throwing an error and
returning the form? Use REReplaceNoCase(srting, regexp, string, scope).
- Why not just strip out all tags? If the text entered is supposed to be
just plaintext, would there be a need for the user to enter *any* tags?
You would use for this: form.field = REReplaceNoCase(form.field,
"<[^>]*>", "", "ALL")
Anyways, HTH,
- Gyrus
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- [EMAIL PROTECTED]
work: http://www.tengai.co.uk
play: http://www.norlonto.net
- PGP key available
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
______________________________________________________________________
Your ad could be here. Monies from ads go to support these lists and provide more
resources for the community. http://www.fusionauthority.com/ads.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
