Determining if a String has Certain Substrings, Part 2

Determining if a String has Certain Substrings, Part 2

In Part 1 we looked at a number of helper function for determining if any offending substrings exist in a string. In this part, we'll look at these helper function in action and look at some enhancements.

- continued -

The below code adds six illegal substrings to objDictViolations, a Dictionary object, via the AddViolation subroutine we examined earlier. Next, a check is made to see if a user-entered string contains any of these substrings; if it does, a list of offending substrings are displayed.

'Create a dictionary object Dim objDictViolations Set objDictViolations = Server.CreateObject("Scripting.Dictionary") 'Assign offending substrings to dictionary object AddViolation objDictViolations, "<html>" AddViolation objDictViolations, "</html>" AddViolation objDictViolations, "<body>" AddViolation objDictViolations, "</body>" AddViolation objDictViolations, "<script" AddViolation objDictViolations, "<table" 'Read in a user-entered string. Dim strCheck strCheck = Request("string") If CheckStringForViolations(strCheck, objDictViolations) then Response.Write "<b>The following unallowed substrings were found " & _ "in your input text:</b><br>" 'Replace < with < and > with > Dim strResults strResults = ListViolations(objDictViolations) strResults = Replace(strResults, "<", "<") strResults = Replace(strResults, ">", ">") Response.Write strResults & "<p>" Else Response.Write "<b>No violations were found in your input text!</b>" End If
[View the live demo!]

Note what the above code is trying to do. It basically is attempting to preclude the user from entering in certain HTML strings... hrmm... but what if we have a clever visitor who tries something like < script ... (note the space between the < and the word script. Gadzooks! This will slip by and will serve as an HTML script block when someone views the user's output through an HTML page! Shoot, that's exactly what we were trying to avoid!

Wouldn't it be neat if we could use regular expressions instead? That way, we could specify an illegal regular expression like <(\s)*script, meaning, "Hey, if you find a less than character followed by zero or more whitespace characters, followed by "script," then this is illegal. (For more information on regular expressions be sure to read the articles at the Regular Expressions Article Index!)

A new helper function will handle this nicely for us:

Function CheckStringForViolationsRegExp(strString, ByRef objDict) 'Determines if the string strString has any violations Dim bolViolations bolViolations = False Dim objRegExp Set objRegExp = New Regexp objRegExp.IgnoreCase = True objRegExp.Global = True Dim strKey For Each strKey in objDict objRegExp.Pattern = strKey If objRegExp.Test(strString) then bolViolations = True objDict(strKey) = True End If Next CheckStringForViolationsRegExp = bolViolations End Function

Note that in this function we create an instance of the Regexp object and use the Test method in the For Each ... Next loop to determine if the offending pattern is found in the passed-in string strString. Keep in mind that each element in the Dictionary object that we create needs to be an offending regular expression pattern, not an offending substring. Regular expressions have certain reserved characters (like the ?). If you want to include a literal question mark in an offending pattern, you need to precede it with a backslash: \?.

With this new function, we can create a new, more powerful example:

'Add offending regular expression patterns AddViolation objDictViolations, "<(\s)*html(\s)*>" AddViolation objDictViolations, "" AddViolation objDictViolations, "<(\s)*body(\s)*>" AddViolation objDictViolations, "<(\s)*/body(\s)*>" AddViolation objDictViolations, "<(\s)*script" AddViolation objDictViolations, "<(\s)*table" Dim strCheck, strKey strCheck = Request("string") If Len(strCheck) > 0 then If CheckStringForViolationsRegExp(strCheck, objDictViolations) then 'Offending patterns found... Else 'No offending patterns found... End If End If
[View the live demo!]

That about wraps up this article! Note there are some possible enhancements. First off, the ListViolations helper function kind of displays some ugly values. If you'd like to create some clever code to handle this, feel free to, and send it to me and if its makes the grade I will post it in this article! :-) Also, it would be nice to have a Reset helper function that simply iterated through each element of a passed-in Dictionary object and set all of its values back to False. Ah, too many ideas, too little time!

Happy Programming!