philwill4u
asked on
Does Dreamweaver 8 help prevent XSS - cross site scripting
Does Dreamweaver 8 help prevent XSS or is some additional coding of the input required?
My take on this from the code is...
It checks for ' when constructing the INSERT, DELETE etc but I also see that it reads Request.Form which is the last and direct input from the user (uncleaned)...
' create the MM_fields and MM_columns arrays
MM_fields = Split(MM_fieldsStr, "|")
MM_columns = Split(MM_columnsStr, "|")
' set the form values
For MM_i = LBound(MM_fields) To UBound(MM_fields) Step 2
MM_fields(MM_i+1) = CStr(Request.Form(MM_field s(MM_i))) <---- the request.form line in standard DW constuct
Next
Any ideas.... am I missing something?
My take on this from the code is...
It checks for ' when constructing the INSERT, DELETE etc but I also see that it reads Request.Form which is the last and direct input from the user (uncleaned)...
' create the MM_fields and MM_columns arrays
MM_fields = Split(MM_fieldsStr, "|")
MM_columns = Split(MM_columnsStr, "|")
' set the form values
For MM_i = LBound(MM_fields) To UBound(MM_fields) Step 2
MM_fields(MM_i+1) = CStr(Request.Form(MM_field
Next
Any ideas.... am I missing something?
As far as I know it doesn't do this, as there are so many ways that XSS can occur. The reason DW uses the pipe symbol is to create an array to hold all column and field names. This is so that DW can store as many values as you care to require all in one catch-all variable. Otherwise Macromedia would have to use thousands of unique variables to hold each column value which would be very memory intensive. The pipe symbol "|" is used as the array seperator because its much less common that the comma symbol.
ASKER
So I guess, I'd need to replace.....
For MM_i = LBound(MM_fields) To UBound(MM_fields) Step 2
MM_fields(MM_i+1) = CStr(Request.Form(MM_field s(MM_i))) <---- the request.form line in standard DW constuct
Next
with the XSS cleaned variables rather than request.form or alternatively, change the names of the variables in the pipe list to those of the XSS cleaned variables.... not so bad but I wish there were a better way.
For MM_i = LBound(MM_fields) To UBound(MM_fields) Step 2
MM_fields(MM_i+1) = CStr(Request.Form(MM_field
Next
with the XSS cleaned variables rather than request.form or alternatively, change the names of the variables in the pipe list to those of the XSS cleaned variables.... not so bad but I wish there were a better way.
Yes you're correct. You sound as though you potentially have the knowledge to create the whole database connection code yourself anyway. I always write it out myself from scratch now because Dreamweaver gets very glitchy when you start making changes and go beyond the very basic form of data retrieval.
ASKER
Thanks.... I've managed to get it working by screening the request.form as follows....
For MM_i = LBound(MM_fields) To UBound(MM_fields) Step 2
MM_fields(MM_i+1) = CStr(no_xss(Request.Form(M M_fields(M M_i)))) <---- includes a function 'no_xss' which cleans the form data
Next
Phew.... thanks for your help.
For MM_i = LBound(MM_fields) To UBound(MM_fields) Step 2
MM_fields(MM_i+1) = CStr(no_xss(Request.Form(M
Next
Phew.... thanks for your help.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The no_xss checks each of the form fields (per the loop) and what it does is remove/ replace the fields is as follows:
<%
Function stripHTML(strHTML)
set re = New RegExp
with re
.IgnoreCase = True
.Global = True
.Pattern = "<(.|\n)+?>"
strOutput = .Replace(strHTML, "")
strOutput = Replace(strOutput, "<", "[")
strOutput = Replace(strOutput, ">", "]")
strOutput = Replace(strOutput, "(", "[")
strOutput = Replace(strOutput, ")", "]")
strOutput = Replace(strOutput, "=", "=")
strOutput = Replace(strOutput, ";", "")
strOutput = Replace(strOutput, "--", "")
strOutput = Replace(strOutput, "'", "''")
end with
set re = nothing
stripHTML = strOutput 'Return the value of strOutput
End Function
function no_xss(strIn)
if len(strIn) > 0 then
no_xss = stripHTML(strIn)
else
no_xss = strIn
end if
end function
%>
<%
Function stripHTML(strHTML)
set re = New RegExp
with re
.IgnoreCase = True
.Global = True
.Pattern = "<(.|\n)+?>"
strOutput = .Replace(strHTML, "")
strOutput = Replace(strOutput, "<", "[")
strOutput = Replace(strOutput, ">", "]")
strOutput = Replace(strOutput, "(", "[")
strOutput = Replace(strOutput, ")", "]")
strOutput = Replace(strOutput, "=", "=")
strOutput = Replace(strOutput, ";", "")
strOutput = Replace(strOutput, "--", "")
strOutput = Replace(strOutput, "'", "''")
end with
set re = nothing
stripHTML = strOutput 'Return the value of strOutput
End Function
function no_xss(strIn)
if len(strIn) > 0 then
no_xss = stripHTML(strIn)
else
no_xss = strIn
end if
end function
%>
Okay I see what you're doing. So it's equally about SQL-injection prevention too...
Better to be safe than sorry.... :-)
Better to be safe than sorry.... :-)