Title: COM Component that Bites Off HTML Tags
Question: Wise Forum Moderators and/or Webmastas would want to deny visitors to post messages/guestbook entries using HTML tags. Done by advanced, but evil hacker it could cause site deface or other type of CSS-Attack (Cross-Site Scripting Attack).
Answer:
Here's a simple function that, however, could be wrapped as COM method and used to strip off HTML tags from form's input.
function THtmlTagsProcessor.StripOffTags(const Html: WideString): WideString; safecall;
var
OpTag: Int64; // Open tag position tracker
ClTag: Int64; // Close tag position tracker
Content: WideString;
procedure GetTag; // Gets tag position
begin
OpTag := Pos(' ClTag := Pos('', Content);
end;
function RemoveTag: Boolean; // If Tag is found, it is removed
begin
if ClTag 0 then
begin
fTagCount := fTagCount + 1;
Delete(Content, OpTag, ClTag - OpTag + 1);
Result := True;
end
else
Result := False;
end;
begin
Content := Html;
fTagCount := 0; // Could be defined as Read-Only Property TotalTags
while Pos(' 0 do
begin
GetTag;
If ClTag begin
Delete(Content, ClTag, 1);
GetTag;
If not RemoveTag then Break;
end;
If not RemoveTag then Break;
end;
Result := Content;
end;
===
As far as we have defined this method, we should test it! Assiming that we compiled MyLib library that contains THtmlTagsProcessor class and registered it within MTS (COM+) run-time environment, lets just open an ASP page and make server-side acceptor:
dim DataThatContainsTags, DataWithoutTags
set TagsBiter = Server.CreateObject("MyLib.HtmlTagsProcessor")
DataThatContainsTags = Request.Form("PossiblyDefacingInput")
DataWithoutTags = TagsBiter.StrippOffTags(DataThatContainsTags)
cn.Execute("sp_PutValidDataIntoDB '" & DataWithoutTags & "'")
' Assume that cn is a valid ADODB.Connection object
' and sp_PutValidDataIntoDB is a stored procedure that
' expects one Varchar parameter
%
HTH,
Vsevolod Ukrainsky,MCSE,MCSD,MCT
Bryansk State Technical Academy