Saturday, 23 January 2010

Do not allow HTML into the textbox

This is the most of times QA team will try to do and file bugs in web applications. They tries to enter the HTML into the textbox and the request fails as usual. The page renders with an .net generic exception if it is asp.net web application. This is because of the security problems. ASP.NET [OR I am not sure how different languages treat the html in textbox] if any HTML in the input textbox then it treats that it as "script injection attack".
If you think that the web application is safe to enter HTML tags in the input controls then there are two solutions.
  • For the specific page, I mean in the page directive just add extra attribute ValidateRequest="false". This will apply to only that page, so you can enter HTML into the text boxes for that page.
  • If you want to solve this problem for all pages in the application then in the web.config file, add ValidateRequest="false" for <pages> tag.
But, as we discussed this is not the 100% true solution, because there are chances of script injection attack. So, how to solve this problem? Today these days, everyone started using javascript or JQuery in their web applications. I have chosen JQuery to fix this problem. Below is the solution.
$(document).ready(function() {
$("input").live("keyup", function() {
RemoveTheHTMLFromTextBox($(this));
});
$("input").blur(function() {
RemoveTheHTMLFromTextBox($(this));
});
$("input").live("click", function() {
RemoveTheHTMLFromTextBox($(this));
});
function RemoveTheHTMLFromTextBox(obj) {
var inputValue = $(obj).val();
if (inputValue.indexOf('<') > -1 || inputValue.indexOf(">") > -1) {
$(obj).val($(obj).val()
.replace(/"/g, "")
.replace(/</G, ??)
.replace(/>/g, "")
.replace(/&/g, ""));
}
}
});

This will look for any HTML tags [<>] and replace them with empty space. This solution will work perfectly. Hope you like it. What is your opinion? any best solution?

Note: Don’t forget to add the JQuery file before you access this script.

No comments:

Post a Comment