Removing Harmful Characters from User Input
To protect against vulnerabilities such as script injection and cross-site scripting, user input can be verified and rejected, or an application can simply remove harmful characters and continue processing. This topic provides example code that uses regular expressions to remove harmful characters.
Note
Most of the example code in the IIS SDK does not include user input validation because emphasis would be taken away from the programming element that the example code is illustrating. If you use examples code from other topics in the IIS SDK, consider adding the examples from the Writing Secure IIS Applications section to improve security.
Example Code
The following example shows you how to use Visual Basic Scripting Edition (VBScript) to include a function that removes potentially harmful characters from a string that is sent to the function. The code page is specified to ensure proper encoding of strings. The regular expression, [^A-Za-z0-9_ ], matches any character that is not any of the following:
An alphabetic character
A number
An underscore (_)
A space
<%@ LANGUAGE="VBScript" %>
<%
Response.CodePage = 1252
Response.Write("Hello, " & RemoveBadCharacters(Request.Form("UserName")))
Response.Write("<BR>This is why you received an error:")
Function RemoveBadCharacters(strTemp)
Dim regEx
Set regEx = New RegExp
regEx.Pattern = "[^A-Za-z0-9_ ]"
regEx.Global = True
RemoveBadCharacters = regEx.Replace(strTemp, "")
End Function
%>
<%@ LANGUAGE="JScript" %>
<%
Response.CodePage = 1252;
Response.Write("Hello, " + RemoveBadCharacters(Request.Form("UserName")));
Response.Write("<BR>This is why you received an error:");
function RemoveBadCharacters(strTemp) {
strTemp = strTemp.replace(/[^A-Za-z0-9_ ]/g,"");
return strTemp;
}
%>