Removing Harmful Characters from User Input

IIS 6.0

To protect against vulnerabilities such as script injection and cross-site scripting, user input can be verified and rejected, or an application can simply remove harmful characters and continue processing. This topic provides example code that uses regular expressions to remove harmful characters.


Most of the example code in the IIS SDK does not include user input validation because emphasis would be taken away from the programming element that the example code is illustrating. If you use examples code from other topics in the IIS SDK, consider adding the examples from the Writing Secure IIS Applications section to improve security.

The following example shows you how to use Visual Basic Scripting Edition (VBScript) to include a function that removes potentially harmful characters from a string that is sent to the function. The code page is specified to ensure proper encoding of strings. The regular expression, [^A-Za-z0-9_ ], matches any character that is not any of the following:

  • An alphabetic character

  • A number

  • An underscore (_)

  • A space

<%@ LANGUAGE="VBScript" %> 
  Response.CodePage = 1252 
  Response.Write("Hello, " & RemoveBadCharacters(Request.Form("UserName"))) 
  Response.Write("<BR>This is why you received an error:") 

  Function RemoveBadCharacters(strTemp) 
    Dim regEx 
    Set regEx = New RegExp 
    regEx.Pattern = "[^A-Za-z0-9_ ]" 
    regEx.Global = True 
    RemoveBadCharacters = regEx.Replace(strTemp, "") 
  End Function 

<%@ LANGUAGE="JScript" %> 
  Response.CodePage = 1252; 
  Response.Write("Hello, " + RemoveBadCharacters(Request.Form("UserName"))); 
  Response.Write("<BR>This is why you received an error:"); 

  function RemoveBadCharacters(strTemp) {  
    strTemp = strTemp.replace(/[^A-Za-z0-9_ ]/g,"");  
    return strTemp;