Skip to main content

Replacing special characters like dots in javascript



I have a search query from the user and I want to process it before applying to browser. since I'm using SEO with htaccess and the search url looks like this : /search/[user query] I should do something to prevent user from doing naughty things.. :) Like searching ../include/conf.php which will result in giving away my configuration file. I want to process the query like removing spaces, removing dots(which will cause problems), commas,etc.







var q = document.getElementById('q').value;

var q = q.replace(/ /gi,"+");

var q = q.replace(/../gi,"");

document.location='search/'+q;







the first replace works just fine but the second one messes with my query.. any solution to replacing this risky characters safely?


Comments

  1. So if I disable JavaScript or use curl I still can do "naughty things"? On the client side do the sanity escaping with:

    encodeURIComponent(document.getElementById('q').value)


    and leave security checks to the server. You would be amazed what malicious user can do (using some escape sequences instead of plain . is the simplest example).

    ReplyDelete
  2. I'd do this server-side - it's too easy for someone to alter your JS in the page or switch it off altogether. Your search script that runs server-side can't (as) easily be tampered with and can then filter the search consistently.

    You might also want to restrict what the search returns... if it's able to show sensitive config files, your search may have a little too much reach.

    ReplyDelete
  3. Dots in regular expressions match anything. You need to escape them with a back-slash ('\'):

    var q = q.replace(/\.\./gi,"");

    ReplyDelete
  4. I should do something to prevent user from doing naughty things.. :) Like searching ../include/conf.php which will result in giving away my configuration file.


    If this is the case, your website is in danger. Because sending http request doesn't need javascript. I can use curl, wget etc to get pass your JS sanity check. Do the sanity check on server side.

    About SEO friendly GET form. Just do the following.

    var q = document.getElementById('q').value;
    document.location='search/'+q;


    characters are automatically handled by browser. You dont need to worry about it. And about accessing files in parent directories, See this question how-do-i-know-if-a-file-exists-in-the-current-directory-tree

    ReplyDelete

Post a Comment

Popular posts from this blog

Why is this Javascript much *slower* than its jQuery equivalent?

I have a HTML list of about 500 items and a "filter" box above it. I started by using jQuery to filter the list when I typed a letter (timing code added later): $('#filter').keyup( function() { var jqStart = (new Date).getTime(); var search = $(this).val().toLowerCase(); var $list = $('ul.ablist > li'); $list.each( function() { if ( $(this).text().toLowerCase().indexOf(search) === -1 ) $(this).hide(); else $(this).show(); } ); console.log('Time: ' + ((new Date).getTime() - jqStart)); } ); However, there was a couple of seconds delay after typing each letter (particularly the first letter). So I thought it may be slightly quicker if I used plain Javascript (I read recently that jQuery's each function is particularly slow). Here's my JS equivalent: document.getElementById('filter').addEventListener( 'keyup', function () { var jsStart = (new Date).getTime()...

Is it possible to have IF statement in an Echo statement in PHP

Thanks in advance. I did look at the other questions/answers that were similar and didn't find exactly what I was looking for. I'm trying to do this, am I on the right path? echo " <div id='tabs-".$match."'> <textarea id='".$match."' name='".$match."'>". if ($COLUMN_NAME === $match) { echo $FIELD_WITH_COLUMN_NAME; } else { } ."</textarea> <script type='text/javascript'> CKEDITOR.replace( '".$match."' ); </script> </div>"; I am getting the following error message in the browser: Parse error: syntax error, unexpected T_IF Please let me know if this is the right way to go about nesting an IF statement inside an echo. Thank you.