[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Does Dreamweaver 8 help prevent XSS - cross site scripting

Posted on 2006-05-07
7
Medium Priority
?
244 Views
Last Modified: 2010-04-25
Does Dreamweaver 8 help prevent XSS or is some additional coding of the input required?

My take on this from the code is...

It checks for '  when constructing the INSERT, DELETE etc but I also see that it reads Request.Form which is the last and direct input from the user (uncleaned)...

  ' create the MM_fields and MM_columns arrays
  MM_fields = Split(MM_fieldsStr, "|")
  MM_columns = Split(MM_columnsStr, "|")
 
  ' set the form values
  For MM_i = LBound(MM_fields) To UBound(MM_fields) Step 2
    MM_fields(MM_i+1) = CStr(Request.Form(MM_fields(MM_i)))   <---- the request.form line in standard DW constuct
  Next


Any ideas.... am I missing something?


0
Comment
Question by:philwill4u
  • 4
  • 3
7 Comments
 
LVL 25

Expert Comment

by:Rouchie
ID: 16629019
As far as I know it doesn't do this, as there are so many ways that XSS can occur.  The reason DW uses the pipe symbol is to create an array to hold all column and field names.  This is so that DW can store as many values as you care to require all in one catch-all variable.  Otherwise Macromedia would have to use thousands of unique variables to hold each column value which would be very memory intensive.  The pipe symbol "|" is used as the array seperator because its much less common that the comma symbol.
0
 

Author Comment

by:philwill4u
ID: 16629101
So I guess, I'd need to replace.....

 For MM_i = LBound(MM_fields) To UBound(MM_fields) Step 2
    MM_fields(MM_i+1) = CStr(Request.Form(MM_fields(MM_i)))   <---- the request.form line in standard DW constuct
  Next

with the XSS cleaned variables rather than request.form or alternatively, change the names of the variables in the pipe list to those of the XSS cleaned variables.... not so bad but I wish there were a better way.
0
 
LVL 25

Expert Comment

by:Rouchie
ID: 16629149
Yes you're correct.  You sound as though you potentially have the knowledge to create the whole database connection code yourself anyway.  I always write it out myself from scratch now because Dreamweaver gets very glitchy when you start making changes and go beyond the very basic form of data retrieval.
0
Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

 

Author Comment

by:philwill4u
ID: 16629205
Thanks.... I've managed to get it working by screening the request.form as follows....

  For MM_i = LBound(MM_fields) To UBound(MM_fields) Step 2
    MM_fields(MM_i+1) = CStr(no_xss(Request.Form(MM_fields(MM_i))))  <---- includes a function 'no_xss' which cleans the form data
  Next

Phew.... thanks for your help.
0
 
LVL 25

Accepted Solution

by:
Rouchie earned 1500 total points
ID: 16629289
Just out of interest, what sort of checks are you including?  Is your no_xss function looping through the array?
0
 

Author Comment

by:philwill4u
ID: 16629311
The no_xss checks each of the form fields (per the loop) and what it does is remove/ replace the fields is as follows:

<%
Function stripHTML(strHTML)
     set re = New RegExp
     with re
          .IgnoreCase = True
          .Global = True
          .Pattern = "<(.|\n)+?>"
          strOutput = .Replace(strHTML, "")
          strOutput = Replace(strOutput, "<", "[")
          strOutput = Replace(strOutput, ">", "]")
          strOutput = Replace(strOutput, "(", "[")      
              strOutput = Replace(strOutput, ")", "]")
              strOutput = Replace(strOutput, "=", "=")
              strOutput = Replace(strOutput, ";", "")
              strOutput = Replace(strOutput, "--", "")      
              strOutput = Replace(strOutput, "'", "''")  
     end with
     set re = nothing
     stripHTML = strOutput    'Return the value of strOutput
End Function

function no_xss(strIn)
      if len(strIn) > 0 then
           no_xss = stripHTML(strIn)
      else
            no_xss = strIn
      end if
end function
%>
0
 
LVL 25

Expert Comment

by:Rouchie
ID: 16629357
Okay I see what you're doing.  So it's equally about SQL-injection prevention too...
Better to be safe than sorry.... :-)
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Adobe Dreamweaver CS5 is a WYSIWYG web page editor that has advanced HTML, CSS, and Javascript rendering functionality and is probably the most well-known HTML editor available. Much of Dreamweaver's appeal centers around the Design View interfac…
This article is very specific and is only intended to help if you are installing Dreamweaver 8 in a Windows 7 environment with Office 2007 installed.   I'm not sure why Microsoft tends to release OS' that should not be released but they do.  Windows…
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?
Suggested Courses

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question