Solved

Regex for script injection

Posted on 2008-10-14
5
677 Views
Last Modified: 2010-04-21
What would a regex look like for alpha or alpha + numeric with spaces.  Spaces are only between words.  I'd like to flag such characters as "<", ">" that are used in <script>.

This is for .net 3.5 C#.
0
Comment
Question by:brettr
  • 2
  • 2
5 Comments
 
LVL 27

Expert Comment

by:ddrudik
ID: 22716962
in regex patterns, generally:

alpha:
a-zA-Z
numeric:
[0-9]
spaces would just be spaces.

<[^>]*> would generally match most HTML tags.
<script\s[^>]*> would match a script starting tag
<script\s[^>]*>.*?</script> would match most script blocks, assuming you have . matching \n in your code.  if your platform does not have an option for that, use [\S\s] instead of . to match all characters.
0
 

Author Comment

by:brettr
ID: 22717000
Can you show what the full pattern would look like?  Thanks.
0
 
LVL 84

Accepted Solution

by:
ozo earned 500 total points
ID: 22717286
^[\w\s]*$
0
 
LVL 27

Expert Comment

by:ddrudik
ID: 22718126
alpha:
"a-zA-Z"
numeric:
"[0-9]"
spaces would just be spaces.
" "
"<[^>]*>" would generally match most HTML tags.
"<script\s[^>]*>" would match a script starting tag
"<script\s[^>]*>.*?</script>" would match most script blocks, assuming you have . matching \n in your code.  if your platform does not have an option for that, use [\S\s] instead of . to match all characters.

The patterns are in quotes.
If you want to match all of that in one pattern:
"[a-zA-Z0-9 ]|<script\s[^>]*>.*?</script>|<[^>]*>"

It depends on your source text as to what pattern you need though, more specifics would be required as well as your platform before a suitable pattern could be given.  If you attempted to use the patterns supplied they would disallow characters in non-HTML tag text as well.
0
 

Author Closing Comment

by:brettr
ID: 31506119
Sorry ddrudik but yours isn't working with

<script>myname>
or
myname>
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Entity Framework is a powerful tool to help you interact with the DataBase but still doesn't help much when we have a Stored Procedure that returns more than one resultset. The solution takes some of out-of-the-box thinking; read on!
Calculating holidays and working days is a function that is often needed yet it is not one found within the Framework. This article presents one approach to building a working-day calculator for use in .NET.
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now