To sanitize input against XSS, use https://github.com/cure53/DOMPurify
<https://github.com/cure53/DOMPurify> on the client side, something like this:
function submitForm() {
var elements = document.form.elements;
for (var i = 0; i < elements.length; i++) {
elements[i].value =
DOMPurify.sanitize(elements[i].value);
}
return true;
}
The other thing is to always use ‘html encode(value; *)’ when you are rendering
database values. This converts any html special characters to html entities.
All the best,
- Aparajita
> On Feb 22, 2018, at 3:15 AM, Norbert Pfaff <npf...@mac.com> wrote:
>
> Hi,
>
> I have a field username in a form.
>
> I save this field with something like
>
> [users]usrName:=_form{“name"}
> Save record[users]
>
> Now my customer (a town) has had a penetration-test and the folks which have
> done it say, there ist a problem when somebody writes in his username
> something like this:
>
> xxx”><script>alert(‘xss in user’);</script>
>
> Next time I open the user record, there ist then a Dialog with “xss in user”.
>
> What is a easy way to check for characters not allowed?
>
> Grüße/regards
> Norbert
>
>
> Norbert Pfaff
> Hammelstalstr. 52
> 67098 Bad Dürkheim
>
> Fon: 06322 9108028
> Skype: npfaff
> eMail: npf...@mac.com
>
>
>
> _______________________________________________
> Active4D-dev mailing list
> Active4D-dev@aparajitaworld.com
> http://list.aparajitaworld.com/listinfo/active4d-dev
> Archives: http://active4d-nabble.aparajitaworld.com/
_______________________________________________
Active4D-dev mailing list
Active4D-dev@aparajitaworld.com
http://list.aparajitaworld.com/listinfo/active4d-dev
Archives: http://active4d-nabble.aparajitaworld.com/
