We help IT Professionals succeed at work.

META - redirect security

sporfex
sporfex asked
on
Hi.

I have a form where users can write text online and also use html in it. I know that you can redirect to another page using some META. How can I prevent this?

Shall I check the string if it include som words?

Let play a little bit here..

Let say that I shall store strInput in a table field and I want to check it before. How can that code look like?

Rgrds
Comment
Watch Question

Commented:
just use server.htmlencode before you store it like

rs("fieldName") = server.htmlEncode(request("yourFormField"))

Commented:
that will handle your meta-refresh tags as well as script tags that they might be adding like <% and %>.  This will cause a problem with any client side script if you wish to allow them to enter it into the database.

if you need to use the client side script then you will need to replace multiple items...


I would replace <% with &gt;%.
I would replace meta with something like me ta.

there are probably many more, but that is what pops to mind right now.

Author

Commented:
But can they use ordinary links etc. They should.

like

<b></b>
<font color='red'></font>
<a href....

etc.

Want them to use such shings.

Commented:
that would still work if you use the second method of replacing <% and meta...

Author

Commented:
Spme code suggestion how to use replace?
CERTIFIED EXPERT

Commented:
Replace function Code example.


<%
Dim str

str = "<%haha"
Response.Write str & "<br>"
str = replace(str, "<%", "//")
Response.Write str
%>

hongjun

Commented:
'get the current value
strNewValue = request("yourFormField")
'replace <%
strNewValue = replace(strNewValue,"<%","&gt;%")
'replace meta
strNewValue = replace(strNewValue,"meta","me ta")

'save the new value to the database
rs("fieldName") = strNewValue

Commented:
here is the basic workings of replace()
replace(strInput,strFind,strReplace)

replace looks in strInput for all occurances of strFind.  It replaces each occurance with the contents of strReplace.

strInput = "thisandthat"

'replace every t with x in the string "thisandthat"
strInput = replace(strInput,"t","x")

'strInput now holds "xhisandxhax"


Explore More ContentExplore courses, solutions, and other research materials related to this topic.