Validating User Input to Avoid Attacks
To protect against vulnerabilities such as script injection and cross-site scripting, user input can be verified and rejected, or an application can remove harmful characters and continue processing. This topic provides example code that uses regular expressions to verify user input.
Note
Most of the example code in the IIS SDK does not include user input validation because emphasis would be taken away from the programming element that the example code is illustrating. If you use example code from other topics in the IIS SDK, consider adding the examples from the Writing Secure IIS Applications section to improve security.
Example Code
The following examples shows you how to validate a string using a regular expression. The regular expression, ^[\w\.:\?&=/]*$, searches for a complete string (from beginning to end) that contains only the following characters:
alphanumeric or underscore (_)
periods (.)
colons (:)
question marks (?)
ampersands (&)
equal signs (=)
forward slashes (/)
The following example shows you how to use the Visual Basic programming language to include a function that returns a Boolean value indicating if the string that it sent to the function is a valid URL, which might contain a query string.
The Visual Basic example was taken from the topic titled Redirecting in a COM Object Using IResponse::Redirect.
Public Function ValidateInput(ByVal sInput As String) As Boolean
Dim reValid As RegExp
Set reValid = New RegExp
reValid.Pattern = "^[\w\.:\?&=/]*$"
reValid.MultiLine = False
reValid.Global = True
ValidateInput = reValid.Test(sInput)
End Function
Public Function RedirectTo() As Boolean
If ValidateInput(myURL) Then
Dim objContext As ObjectContext
Dim objResponse As Response
Set objContext = GetObjectContext()
Set objResponse = objContext("Response")
objResponse.Redirect (myURL)
RedirectTo = True
Else
RedirectTo = False
End If
End Function
The following example shows you how to use the Visual Basic Scripting Edition (VBScript) programming language to include a function that returns a Boolean value indicating if the string that it sent to the function is a valid URL, which might contain a query string.
<%@ LANGUAGE="VBScript" %>
<%
Response.CodePage = 1252
If ValidateInput(MyUrl) Then
Response.Redirect (myURL)
Else
Response.Write("URL was invalid.")
End If
Function ValidateInput(sInput)
Dim reValid
Set reValid = New RegExp
reValid.Pattern = "^[\w\.:\?&=/]*$"
reValid.MultiLine = False
reValid.Global = True
ValidateInput = reValid.Test(sInput)
End Function
%>
The following example shows you how to use the JScript programming language to include a function that returns a Boolean value indicating if the string that it sent to the function is a valid URL, which might contain a query string.
<%@ LANGUAGE="JScript" %>
<%
Response.CodePage = 1252;
if (ValidateInput(MyUrl)) {
Response.Redirect (myURL)
}
else
{
Response.Write("URL was invalid.")
}
function ValidateInput(sInput) {
strTemp = sInput.Test(/^[\w\.:\?&=/]*$/gm,"");
return strTemp;
}
%>