Skip to main content

Replacing special characters like dots in javascript

Image
By User



I have a search query from the user and I want to process it before applying to browser. since I'm using SEO with htaccess and the search url looks like this : /search/[user query] I should do something to prevent user from doing naughty things.. :) Like searching ../include/conf.php which will result in giving away my configuration file. I want to process the query like removing spaces, removing dots(which will cause problems), commas,etc.







var q = document.getElementById('q').value;

var q = q.replace(/ /gi,"+");

var q = q.replace(/../gi,"");

document.location='search/'+q;







the first replace works just fine but the second one messes with my query.. any solution to replacing this risky characters safely?


Labels:

Comments

  1. AdminJanuary 14, 2012 at 4:39 AM

    So if I disable JavaScript or use curl I still can do "naughty things"? On the client side do the sanity escaping with:

    encodeURIComponent(document.getElementById('q').value)


    and leave security checks to the server. You would be amazed what malicious user can do (using some escape sequences instead of plain . is the simplest example).

    ReplyDelete
  2. AdminJanuary 14, 2012 at 4:39 AM

    I'd do this server-side - it's too easy for someone to alter your JS in the page or switch it off altogether. Your search script that runs server-side can't (as) easily be tampered with and can then filter the search consistently.

    You might also want to restrict what the search returns... if it's able to show sensitive config files, your search may have a little too much reach.

    ReplyDelete
  3. AdminJanuary 14, 2012 at 4:39 AM

    Dots in regular expressions match anything. You need to escape them with a back-slash ('\'):

    var q = q.replace(/\.\./gi,"");

    ReplyDelete
  4. AdminJanuary 14, 2012 at 4:39 AM

    I should do something to prevent user from doing naughty things.. :) Like searching ../include/conf.php which will result in giving away my configuration file.


    If this is the case, your website is in danger. Because sending http request doesn't need javascript. I can use curl, wget etc to get pass your JS sanity check. Do the sanity check on server side.

    About SEO friendly GET form. Just do the following.

    var q = document.getElementById('q').value;
    document.location='search/'+q;


    characters are automatically handled by browser. You dont need to worry about it. And about accessing files in parent directories, See this question how-do-i-know-if-a-file-exists-in-the-current-directory-tree

    ReplyDelete

Post a Comment

Popular posts from this blog

[韓日関係] 首相含む大幅な内閣改造の可能性…早ければ来月10日ごろ=韓国

By Unknown
Post a Comment
Read more

div not scrolling properly with slimScroll plugin

By User
I am using the slimScroll plugin for jQuery by Piotr Rochala Which is a great plugin for nice scrollbars on most browsers but I am stuck because I am using it for a chat box and whenever the user appends new text to the boxit does scroll using the .scrollTop() method however the plugin's scrollbar doesnt scroll with it and when the user wants to look though the chat history it will start scrolling from near the top. I have made a quick demo of my situation http://jsfiddle.net/DY9CT/2/ Does anyone know how to solve this problem?
1 comment
Read more

Why does this javascript based printing cause Safari to refresh the page?

By User
The page I am working on has a javascript function executed to print parts of the page. For some reason, printing in Safari, causes the window to somehow update. I say somehow, because it does not really refresh as in reload the page, but rather it starts the "rendering" of the page from start, i.e. scroll to top, flash animations start from 0, and so forth. The effect is reproduced by this fiddle: http://jsfiddle.net/fYmnB/ Clicking the print button and finishing or cancelling a print in Safari causes the screen to "go white" for a sec, which in my real website manifests itself as something "like" a reload. While running print button with, let's say, Firefox, just opens and closes the print dialogue without affecting the fiddle page in any way. Is there something with my way of calling the browsers print method that causes this, or how can it be explained - and preferably, avoided? P.S.: On my real site the same occurs with Chrome. In the ex
5 comments
Read more