I have a number of forms (contact, eNews subscriptions, etc)
where someone is entering "redirect" Javascript code in one of the
fields in the form. The Javascript then wreaks havoc on my CMS or
the websites themselves because when the CMS is accessed or the
information is viewed by the visitors, it redirects them to another
site.
Anyone happen to know a way to keep this from happening?
My thinking would be to write some code to check each entry
for < or > which is always what these problematic Javascript
codes are wrapped in.
Depending on how you desire to handle it. You can use
htmlEdit() or
htmlCode() functions that will escape those characters. This
will cause
the code to be displayed in the view port, rather then
executed.
But if you want to even prevent that, more effort would be
required.
Those would probably do the trick, but I think I'd rather
prevent them from getting into the system altogether, because of
the number of places that information (and thus the scripts) could
be accessed, viewed, displayed, etc.
Again, if you are not concerned about stripping them, use the
HTMLEdit()/code() functions on the input into the database.
Then the
escaped code is stored and will be displayed that way
anywhere it is
output. A one time batch conversion will take care of
anything already
saved.
I would do this, even if I was building a more sophisticated
solution to
try and strip the cross-scripting code, as a default back up.
Unfortunately most of the higher level solutions require
knowing how the
hackers will enter the code. And they are very clever about
finding new
ways to circumvent what we develop to block them.
This simple functions that escape all code are very quick to
implement
and pretty bullet proof if not the prettiest solutions. Which
makes a
great last line of defense even if you do develop more
elegant solutions.