ASP - removing javascript from a HTML file dynamically

Author

removing javascript from a HTML file dynamically

ASP.Confused

2004-07-26, 8:55 am

I am designing a forum system, and I would like to know if there is a script
somewhere that can parse an HTML response, and remove javascript.

I would like to do this so that I don't have hackers attempting to take over
the client's browser. I have my code to the point that it will remove all
script tags, and anything between them, but I have no idea how to remove the
"on-" events (for example, omouseout, onmouseover, etc...)

Also, I would like to remove any references to the position attribute of an
element's style. This is proving to be difficult, because there are various
ways it could be embedded into the script. For example,

<div style="position: absolute; left: 0px; top: 0px; height: 100000; width:
100000"></div>

renders the same as:

<div style="#$&%&@*%position: absolute; left: 0px; top: 0px; height: 100000;
width: 100000"></div>

and renders the same as:

<div style="position#$&%&@*%: absolute; left: 0px; top: 0px; height: 100000;
width: 100000"></div>

which makes it kinda hard to parse out the position attribute, which would
force me to filter out the word "position" from the entire document, which
is not acceptable.

Got any suggestions?

ASP.Confused

2004-07-26, 8:55 pm

Already figured it out...Thanks anyways.

"ASP.Confused" <anonymous@> wrote in message
news:uJUzF2wcEHA.3792@TK2MSFTNGP09.phx.gbl...
> I am designing a forum system, and I would like to know if there is a
script
> somewhere that can parse an HTML response, and remove javascript.
>
> I would like to do this so that I don't have hackers attempting to take
over
> the client's browser. I have my code to the point that it will remove all
> script tags, and anything between them, but I have no idea how to remove
the
> "on-" events (for example, omouseout, onmouseover, etc...)
>
> Also, I would like to remove any references to the position attribute of
an
> element's style. This is proving to be difficult, because there are
various
> ways it could be embedded into the script. For example,
>
> <div style="position: absolute; left: 0px; top: 0px; height: 100000;
width:
> 100000"></div>
>
> renders the same as:
>
> <div style="#$&%&@*%position: absolute; left: 0px; top: 0px; height:
100000;
> width: 100000"></div>
>
> and renders the same as:
>
> <div style="position#$&%&@*%: absolute; left: 0px; top: 0px; height:
100000;
> width: 100000"></div>
>
> which makes it kinda hard to parse out the position attribute, which would
> force me to filter out the word "position" from the entire document, which
> is not acceptable.
>
> Got any suggestions?
>
>

Bullschmidt

2004-07-27, 8:55 pm

And of course to disable all HTML tags and JavaScript to and perhaps
later just show the code as text:

varFld = Server.HTMLEncode(varFld)

Best regards,
J. Paul Schmidt, Freelance ASP Web Developer
http://www.Bullschmidt.com
Classic ASP Design Tips, ASP Web Database Demo, ASP Bar Chart Tool...

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

ASP.Confused

2004-07-28, 3:55 pm

Thanks! I'm actually designing a rich text forum, so that snippet of code
won't help me out immediately. Also, no one will be using the forum to post
code, but I will look into adding that at a later date.

"Bullschmidt" <paul@bullschmidt.com-nospam> wrote in message
news:%23M%23jQ1BdEHA.3020@TK2MSFTNGP11.phx.gbl...
> And of course to disable all HTML tags and JavaScript to and perhaps
> later just show the code as text:
>
> varFld = Server.HTMLEncode(varFld)
>
> Best regards,
> J. Paul Schmidt, Freelance ASP Web Developer
> http://www.Bullschmidt.com
> Classic ASP Design Tips, ASP Web Database Demo, ASP Bar Chart Tool...
>
>
> *** Sent via Developersdex http://www.developersdex.com ***
> Don't just participate in USENET...get rewarded for it!

Sponsored Links