{
// unchecked text
string text = this.txtNotes.Text.Trim(); string cleanText = string.Empty; //add any script tag that you want removed to the list below and replace with an empty string
cleanText = Regex.Replace(text, @"</?(?i:applet|body|embed|frame|script|frameset|html|iframe|img|style|layer|link|ilayer|meta|object|href|alert)(.|\n)*?>", "", RegexOptions.IgnoreCase); text = cleanText;
//2nd clean Paranoid regex for XSS attacks
string cleanerText = Regex.Replace(text, @"/((\%3C)|<)[^\n]+((\%3E)|>)/I </TD< tr>r>", "", RegexOptions.IgnoreCase); //Explanation:
//This signature simply looks for the opening HTML tag, and its hex equivalent,
//followed by one or more characters other than the newline, and then followed
//by the closing tag or its hex equivalent.
//This may end up giving a few false positives depending upon how your Web application
//and Web server are structured, but it is guaranteed to catch anything that even
//remotely resembles a cross-site scripting attack.
text = cleanerText;
//3rd clean Regex for "<img src" XSS attack
string cleanestText = Regex.Replace(text, @"/((\%3C)|<)((\%69)|i|(\%49))((\%6D)|m|(\%4D))((\%67)|g|(\%47))[^\n]+((\%3E)|>)/I </TD< tr>", "", RegexOptions.IgnoreCase); //Explanation:
//(\%3C)|<) opening angled bracket or hex equivalent
//(\%69)|i|(\%49))((\%6D)|m|(\%4D))((\%67)|g|(\%47) the letters 'img' in varying
//combinations of ASCII, or upper or lower case hex equivalents
//[^\n]+ any character other than a new line following the <img
//(\%3E)|>) closing angled bracket or hex equivalent
//add your own clean text here
this.txtCleanText.Text = cleanestText; }
The code would above would replace all offending script with empty strings like this:
If you want to use one of the 3 regular expressions above in a validator, use:
/((\<)|<)[^\n]+((\>)|>)/I </TD< tr>r>
Use the above to inform the user not to use certain forbidden script characters. However, in my BLL, use all three of the functions to replace most forbidden script (at least all that I could find) with an empty string. I couldn't figure out how to combine all three in on regular expression.
// unchecked text
string text = this.txtNotes.Text.Trim();
string cleanText = string.Empty;
//add any script tag that you want removed to the list below and replace with an empty string
cleanText = Regex.Replace(text, @"</?(?i:applet|body|embed|frame|script|frameset|html|iframe|img|style|layer|link|ilayer|meta|object|href)(.|\n)*?>", "", RegexOptions.IgnoreCase);
text = cleanText;
//2nd clean Paranoid regex for XSS attacks
string cleanerText = Regex.Replace(text, @"/((\<)|<)[^\n]+((\>)|>)/I </TD< tr>r>", "", RegexOptions.IgnoreCase);
//Explanation:
//This signature simply looks for the opening HTML tag, and its hex equivalent,
//followed by one or more characters other than the newline, and then followed
//by the closing tag or its hex equivalent.
//This may end up giving a few false positives depending upon how your Web application
//and Web server are structured, but it is guaranteed to catch anything that even
//remotely resembles a cross-site scripting attack.
text = cleanerText;
//3rd clean Regex for "<img src" XSS attack
string cleanestText = Regex.Replace(text, @"/((\<)|<)((\i)|i|(\I))((\m)|m|(\M))((\g)|g|(\G))[^\n]+((\>)|>)/I </TD< tr>", "", RegexOptions.IgnoreCase);
//Explanation:
//(\<)|<) opening angled bracket or hex equivalent
//(\i)|i|(\I))((\m)|m|(\M))((\g)|g|(\G) the letters 'img' in varying
//combinations of ASCII, or upper or lower case hex equivalents
//[^\n]+ any character other than a new line following the <img
//(\>)|>) closing angled bracket or hex equivalent