Re: Checking forms for JavaScript

If Cubes is right on what you're doing, I suggest you strip out all <script...> tags - whatever the scripting language. Here's a regex for this:

$text =~ s/<SCRIPT[^>]>     # the opening <SCRIPT...> tag
           .*?              # as few chars as possible until...
           (?:</SCRIPT>|$)  # closing script tag or the end of the tex
+t ($)
          //xgis;           # (x) comments (g)lobal, case (i)nsensitiv
+e,
                            # treat string as (s)ingle line

# uncommented version
$text =~ s/<SCRIPT[^>]>.*?(?:</SCRIPT>|$)//gis;
[download]

You need to check for strings that don't contain a closing tag, as this example below shows:

# imagine the following are two consecutive posts on a bulletin board

$first_post = <<_END_;
<SCRIPT LANGUAGE="Javascript">
document.location.href = "http://www.hamsterdance.com"
/*
_END_

$second_post = <<_END_;
*/
</SCRIPT>
_END_
[download]

I actually used this once :)

HTH

cLive ;-)

Comment on Re: Checking forms for JavaScript Select or Download Code

Replies are listed 'Best First'.
Re: Re: Checking forms for JavaScript by shotgunefx (Parson) on Jul 24, 2001 at 03:26 UTC
You should also look for onLoad and other attributes inside IMG tags, etc. -Lee "To be civilized is to deny one's nature."	[reply]
Re: Checking forms for JavaScript by cLive ;-) (Prior) on Jul 24, 2001 at 04:03 UTC
Valid point. But I think other event handlers also need covering - if we're gonna one, we'd better cover anything that can trigger code. And I guess you should strip all links that start "javascript:" - arghhhh. So I guess we'd need to add something like: `# javascript: $text =~ s/(["'])\sjavascript:.?\1/"'/gis; # event handlers (on + 4 chars is min length) $test =~ s/\bon\w{4,}\s=\s(['"]).*?\1//gis;` [download] Untested, but I think that might do the trick... Have I missed anything? cLive ;-)	[reply] [d/l]
Re: Re: Checking forms for JavaScript by shotgunefx (Parson) on Jul 24, 2001 at 11:42 UTC
Duh, I forgot all about javascript urls. I don't know what the purpose of this particular application in question is but it may be a good idea to yank object and applet tags as well. -Lee "To be civilized is to deny one's nature."	[reply]