Validating User Input to Avoid Attacks

  • Article

To protect against vulnerabilities such as script injection and cross-site scripting, user input can be verified and rejected, or an application can remove harmful characters and continue processing. This topic provides example code that uses regular expressions to verify user input.

Note

Most of the example code in the IIS SDK does not include user input validation because emphasis would be taken away from the programming element that the example code is illustrating. If you use example code from other topics in the IIS SDK, consider adding the examples from the Writing Secure IIS Applications section to improve security.

Example Code

The following examples shows you how to validate a string using a regular expression. The regular expression, ^[\w\.:\?&=/]*$, searches for a complete string (from beginning to end) that contains only the following characters:

  • alphanumeric or underscore (_)

  • periods (.)

  • colons (:)

  • question marks (?)

  • ampersands (&)

  • equal signs (=)

  • forward slashes (/)

The following example shows you how to use the Visual Basic programming language to include a function that returns a Boolean value indicating if the string that it sent to the function is a valid URL, which might contain a query string.

The Visual Basic example was taken from the topic titled Redirecting in a COM Object Using IResponse::Redirect.

Public Function ValidateInput(ByVal sInput As String) As Boolean 
    Dim reValid As RegExp 
    Set reValid = New RegExp 

    reValid.Pattern = "^[\w\.:\?&=/]*$" 
    reValid.MultiLine = False 
    reValid.Global = True 

    ValidateInput = reValid.Test(sInput) 
End Function 

Public Function RedirectTo() As Boolean 
    If ValidateInput(myURL) Then 
        Dim objContext As ObjectContext 
        Dim objResponse As Response 
        Set objContext = GetObjectContext() 
        Set objResponse = objContext("Response") 
        objResponse.Redirect (myURL) 
        RedirectTo = True 
    Else 
        RedirectTo = False 
    End If 
End Function

The following example shows you how to use the Visual Basic Scripting Edition (VBScript) programming language to include a function that returns a Boolean value indicating if the string that it sent to the function is a valid URL, which might contain a query string.

<%@ LANGUAGE="VBScript" %> 
<% 
  Response.CodePage = 1252 
  If ValidateInput(MyUrl) Then   
    Response.Redirect (myURL) 
  Else 
    Response.Write("URL was invalid.") 
  End If 

  Function ValidateInput(sInput) 
    Dim reValid 
    Set reValid = New RegExp 

    reValid.Pattern = "^[\w\.:\?&=/]*$" 
    reValid.MultiLine = False 
    reValid.Global = True 

    ValidateInput = reValid.Test(sInput) 
  End Function 
%>

The following example shows you how to use the JScript programming language to include a function that returns a Boolean value indicating if the string that it sent to the function is a valid URL, which might contain a query string.

<%@ LANGUAGE="JScript" %> 
<% 
  Response.CodePage = 1252; 
  if (ValidateInput(MyUrl)) { 
    Response.Redirect (myURL) 
  } 
  else 
  { 
    Response.Write("URL was invalid.") 
  }   

  function ValidateInput(sInput) {  
    strTemp = sInput.Test(/^[\w\.:\?&=/]*$/gm,"");  
    return strTemp; 
  } 
%>