When you think ASP, think...
Recent Articles
All Articles
ASP.NET Articles
ASPFAQs.com
Message Board
Related Web Technologies
User Tips!
Coding Tips

Sections:
Sample Chapters
Commonly Asked Message Board Questions
JavaScript Tutorials
MSDN Communities Hub
Official Docs
Security
Stump the SQL Guru!
XML Info
Information:
Feedback
Author an Article
ASP ASP.NET ASP FAQs Message Board Feedback
Print this page.
Published: Thursday, December 07, 2000

Determining if a String has Certain Substrings, Part 2


  • Read Part 1

  • In Part 1 we looked at a number of helper function for determining if any offending substrings exist in a string. In this part, we'll look at these helper function in action and look at some enhancements.

    - continued -

    The below code adds six illegal substrings to objDictViolations, a Dictionary object, via the AddViolation subroutine we examined earlier. Next, a check is made to see if a user-entered string contains any of these substrings; if it does, a list of offending substrings are displayed.

    'Create a dictionary object
    Dim objDictViolations
    Set objDictViolations = Server.CreateObject("Scripting.Dictionary")
      
    'Assign offending substrings to dictionary object
    AddViolation objDictViolations, "<html>"
    AddViolation objDictViolations, "</html>"
    AddViolation objDictViolations, "<body>"
    AddViolation objDictViolations, "</body>"
    AddViolation objDictViolations, "<script"
    AddViolation objDictViolations, "<table"
    
    'Read in a user-entered string.
    Dim strCheck
    strCheck = Request("string")
    
    If CheckStringForViolations(strCheck, objDictViolations) then
      Response.Write "<b>The following unallowed substrings were found " & _
                     "in your input text:</b><br>"
      
      'Replace < with &lt; and > with &gt;
      Dim strResults
      strResults = ListViolations(objDictViolations)
      strResults = Replace(strResults, "<", "<")
      strResults = Replace(strResults, ">", ">")
      Response.Write strResults & "<p>"
    Else
      Response.Write "<b>No violations were found in your input text!</b>"
    End If
    
    [View the live demo!]

    Note what the above code is trying to do. It basically is attempting to preclude the user from entering in certain HTML strings... hrmm... but what if we have a clever visitor who tries something like < script ... (note the space between the < and the word script. Gadzooks! This will slip by and will serve as an HTML script block when someone views the user's output through an HTML page! Shoot, that's exactly what we were trying to avoid!

    Wouldn't it be neat if we could use regular expressions instead? That way, we could specify an illegal regular expression like <(\s)*script, meaning, "Hey, if you find a less than character followed by zero or more whitespace characters, followed by "script," then this is illegal. (For more information on regular expressions be sure to read the articles at the Regular Expressions Article Index!)

    A new helper function will handle this nicely for us:

    Function CheckStringForViolationsRegExp(strString, ByRef objDict)
      'Determines if the string strString has any violations
      Dim bolViolations
      bolViolations = False
        
      Dim objRegExp
      Set objRegExp = New Regexp
        
      objRegExp.IgnoreCase = True
      objRegExp.Global = True
        
      Dim strKey
      For Each strKey in objDict
        objRegExp.Pattern = strKey
        If objRegExp.Test(strString) then
          bolViolations = True
          objDict(strKey) = True
        End If
      Next   
        
      CheckStringForViolationsRegExp = bolViolations  
    End Function
    

    Note that in this function we create an instance of the Regexp object and use the Test method in the For Each ... Next loop to determine if the offending pattern is found in the passed-in string strString. Keep in mind that each element in the Dictionary object that we create needs to be an offending regular expression pattern, not an offending substring. Regular expressions have certain reserved characters (like the ?). If you want to include a literal question mark in an offending pattern, you need to precede it with a backslash: \?.

    With this new function, we can create a new, more powerful example:

    'Add offending regular expression patterns
    AddViolation objDictViolations, "<(\s)*html(\s)*>"
    AddViolation objDictViolations, ""
    AddViolation objDictViolations, "<(\s)*body(\s)*>"
    AddViolation objDictViolations, "<(\s)*/body(\s)*>"
    AddViolation objDictViolations, "<(\s)*script"
    AddViolation objDictViolations, "<(\s)*table"
      
    Dim strCheck, strKey
    strCheck = Request("string")
      
    If Len(strCheck) > 0 then
      If CheckStringForViolationsRegExp(strCheck, objDictViolations) then
        'Offending patterns found...
      Else
        'No offending patterns found...
      End If
    End If
    
    [View the live demo!]

    That about wraps up this article! Note there are some possible enhancements. First off, the ListViolations helper function kind of displays some ugly values. If you'd like to create some clever code to handle this, feel free to, and send it to me and if its makes the grade I will post it in this article! :-) Also, it would be nice to have a Reset helper function that simply iterated through each element of a passed-in Dictionary object and set all of its values back to False. Ah, too many ideas, too little time!

    Happy Programming!


    ASP.NET [1.x] [2.0] | ASPMessageboard.com | ASPFAQs.com | Advertise | Feedback | Author an Article