Mega Code Archive

COM Component that Bites Off HTML Tags

Title: COM Component that Bites Off HTML Tags Question: Wise Forum Moderators and/or Webmastas would want to deny visitors to post messages/guestbook entries using HTML tags. Done by advanced, but evil hacker it could cause site deface or other type of CSS-Attack (Cross-Site Scripting Attack). Answer: Here's a simple function that, however, could be wrapped as COM method and used to strip off HTML tags from form's input. function THtmlTagsProcessor.StripOffTags(const Html: WideString): WideString; safecall; var OpTag: Int64; // Open tag position tracker ClTag: Int64; // Close tag position tracker Content: WideString; procedure GetTag; // Gets tag position begin OpTag := Pos(' ClTag := Pos('', Content); end; function RemoveTag: Boolean; // If Tag is found, it is removed begin if ClTag 0 then begin fTagCount := fTagCount + 1; Delete(Content, OpTag, ClTag - OpTag + 1); Result := True; end else Result := False; end; begin Content := Html; fTagCount := 0; // Could be defined as Read-Only Property TotalTags while Pos(' 0 do begin GetTag; If ClTag begin Delete(Content, ClTag, 1); GetTag; If not RemoveTag then Break; end; If not RemoveTag then Break; end; Result := Content; end; === As far as we have defined this method, we should test it! Assiming that we compiled MyLib library that contains THtmlTagsProcessor class and registered it within MTS (COM+) run-time environment, lets just open an ASP page and make server-side acceptor: dim DataThatContainsTags, DataWithoutTags set TagsBiter = Server.CreateObject("MyLib.HtmlTagsProcessor") DataThatContainsTags = Request.Form("PossiblyDefacingInput") DataWithoutTags = TagsBiter.StrippOffTags(DataThatContainsTags) cn.Execute("sp_PutValidDataIntoDB '" & DataWithoutTags & "'") ' Assume that cn is a valid ADODB.Connection object ' and sp_PutValidDataIntoDB is a stored procedure that ' expects one Varchar parameter % HTH, Vsevolod Ukrainsky,MCSE,MCSD,MCT Bryansk State Technical Academy