Prevent Users from Inserting Malicious HTML Tags in Your Comment Forms

No action taken by a Web developer can prevent with 100 percent certainty a malicious hacker inserting harmful scripts in Web comment forms. User can disable the ability to run all scripts through their browser, but the result is often a loss of functionality. The best approach to preventing harmful code interactions arising from your Web forms takes place during the Web development stage. Depending on the server-side operating system, either UNIX/LINUX or Microsoft Server, approaches differ. UNIX/LINUX servers usually support CGI scripts for submission of form data, which are notorious for opening opportunities for hacking. Microsoft servers support ASP.NET operations, which also has some vulnerability. Four basic steps are involved in increasing protection from problems: Character set protection; guarding against dangerous HTML tags, Encoding output, and validating user input.

Developers sometimes do not specify the character encoding used, so a default encoding controlled by the server takes effect. This may allow harmful coding in responses. By specifying encoding in the HTML, you may mitigate some of the danger. Insert this code at the beginning of a page:

<HTML> <HEAD> <META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <TITLE>Your Title</TITLE></HEAD>

Hackers can insert special coding in forms asking for input that run harmful scripts on your (or someone else’s) computer. For example, given TextBox controls on Web comment forms asking for user comments, a hacker could insert this response: “Great Website! [special characters inserted to create problems]” The insertion could be hidden from view, and the result will be a problem for any user who fills out the form. Protect against this by identifying special characters. There is no legitimate reason for special characters like “+” or “&” to be inserted in user comment forms. Adding some Javascript code to filter out these with a replace operation can trap this kind of thing. Here is a start on filtering two characters:

function RemoveBadCharacters(InStr){ InStr = InStr.replace(/\&/g,""); InStr = InStr.replace(/\+/g,""); return InStr; }

There is also no legitimate reason for HTML tags in comment boxes. Someone intending computer attacks may insert malicious script within comment formsby HTML using scripting tags. Examples of these are: <script>, <object>, <applet> and <embed>. A hacker could insert comment that includes a harmful script like this: “I like your website <script>malicious javascript</script>. The Web design should filter out this kind of output before it downloads.

Rather than setting up lengthy filtering operations, consider using the HTMLEncode function, which will encode legitimate characters to prevent harm. HTMLEncode works by changing the less-than character (<) to &lt;, the greater-than character (>)to &gt;, the ampersand (&) to &amp;, double quotes to &quot; and any ASCI code greater than 0x80 to &# followed by the ASCII number. This is a server-side operation using ASP.NET 3.5 and called by this code in Visual Basic:

Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click

Label1.Text = Server.HtmlEncode(TextBox1.Text)

However, implementation can be a bit tricky. Users interested in exploring this method should visit the Microsoft Developer Network site listed in Additional Resources.

Microsoft Developer Network