RegEx for XSS (Cross-Site Scripting)?

[clintonG]

Trying to use the RegularExpressionValidator with the following
expression [^0-9a-zA-Z] which functions well when using code
with the System.Text.RegularExpressions class but the same
expression will not function when used with the
RegularExpressionValidator leaving me wondering "what?"

The expression 'negates' any entry but those alphanumeric
characters 0-9, a-z and A-Z thus I assume this expression
would be sufficient to disallow XSS exploits noting as a matter
of practice I will also continue to use Server.HtmlEncode.

Comments regarding the dysfunction of the expression when used
with the RegularExpressionValidator and 'your' methodology to
prevent XSS exploits will be appreciated.

--
<%= Clinton Gallagher, "Twice the Results -- Half the Cost"
Architectural & e-Business Consulting -- Software Development
NET [email]csgallagher@REMOVETHISTEXTmetromilwaukee.com[/email]
URL [url]http://www.metromilwaukee.com/clintongallagher/[/url]

[Peter Blum]

Your expression should be enclosed in ^ and $ symbols so that every
character must be in this set. In addition, the use of negation is
incorrect. You want the validator to report an error when anything outside
of the letter or digit character set is given. You have indicated that only
these characters are illegal.
Here's a reworked expression:
^[0-9a-zA-Z]*$

Since you are attempting to improve your site's security, please be aware
that there is a new product for ASP.NET sites to protect against XSS, SQL
injection, Input Tampering, and Brute Force Input attacks. I am the author.
It is "Visual Input Security" ([url]http://www.peterblum.com/vise/home.aspx[/url]).

--- Peter Blum
[url]www.PeterBlum.com[/url]
Email: [email]PLBlum@PeterBlum.com[/email]
Creator of "Professional Validation And More" at
[url]http://www.peterblum.com/vam/home.aspx[/url]

"clintonG" <csgallagher@REMOVETHISTEXTmetromilwaukee.com> wrote in message
news:urp1KeclEHA.536@TK2MSFTNGP11.phx.gbl...

> Trying to use the RegularExpressionValidator with the following
> expression [^0-9a-zA-Z] which functions well when using code
> with the System.Text.RegularExpressions class but the same
> expression will not function when used with the
> RegularExpressionValidator leaving me wondering "what?"
>
> The expression 'negates' any entry but those alphanumeric
> characters 0-9, a-z and A-Z thus I assume this expression
> would be sufficient to disallow XSS exploits noting as a matter
> of practice I will also continue to use Server.HtmlEncode.
>
> Comments regarding the dysfunction of the expression when used
> with the RegularExpressionValidator and 'your' methodology to
> prevent XSS exploits will be appreciated.
>
> --
> <%= Clinton Gallagher, "Twice the Results -- Half the Cost"
> Architectural & e-Business Consulting -- Software Development
> NET [email]csgallagher@REMOVETHISTEXTmetromilwaukee.com[/email]
> URL [url]http://www.metromilwaukee.com/clintongallagher/[/url]
>
>

[clintonG]

Thank you for responding Peter. I'll work with the revised expression
and will certainly avail myself of your work as you referred.

<%= Clinton Gallagher


"Peter Blum" <PLBlum@Blum.info> wrote in message
news:ec%23$ASplEHA.2680@TK2MSFTNGP15.phx.gbl...

> Your expression should be enclosed in ^ and $ symbols so that every
> character must be in this set. In addition, the use of negation is
> incorrect. You want the validator to report an error when anything outside
> of the letter or digit character set is given. You have indicated that

only

> these characters are illegal.
> Here's a reworked expression:
> ^[0-9a-zA-Z]*$
>
> Since you are attempting to improve your site's security, please be aware
> that there is a new product for ASP.NET sites to protect against XSS, SQL
> injection, Input Tampering, and Brute Force Input attacks. I am the

author.

> It is "Visual Input Security" ([url]http://www.peterblum.com/vise/home.aspx[/url]).
>
> --- Peter Blum
> [url]www.PeterBlum.com[/url]
> Email: [email]PLBlum@PeterBlum.com[/email]
> Creator of "Professional Validation And More" at
> [url]http://www.peterblum.com/vam/home.aspx[/url]
>
> "clintonG" <csgallagher@REMOVETHISTEXTmetromilwaukee.com> wrote in message
> news:urp1KeclEHA.536@TK2MSFTNGP11.phx.gbl...

> > Trying to use the RegularExpressionValidator with the following
> > expression [^0-9a-zA-Z] which functions well when using code
> > with the System.Text.RegularExpressions class but the same
> > expression will not function when used with the
> > RegularExpressionValidator leaving me wondering "what?"
> >
> > The expression 'negates' any entry but those alphanumeric
> > characters 0-9, a-z and A-Z thus I assume this expression
> > would be sufficient to disallow XSS exploits noting as a matter
> > of practice I will also continue to use Server.HtmlEncode.
> >
> > Comments regarding the dysfunction of the expression when used
> > with the RegularExpressionValidator and 'your' methodology to
> > prevent XSS exploits will be appreciated.
> >
> > --
> > <%= Clinton Gallagher, "Twice the Results -- Half the Cost"
> > Architectural & e-Business Consulting -- Software Development
> > NET [email]csgallagher@REMOVETHISTEXTmetromilwaukee.com[/email]
> > URL [url]http://www.metromilwaukee.com/clintongallagher/[/url]
> >
> >

>
>