Question 316924 in Jquery Question posted in
The official Jquery Api Documentation can be found here.

Prevent user for adding any script/jquery/sql queries in the description field

I am trying to add some validation for the description field to check if the user has entered any scripting/js/jQuery/SQL query code rather than a genuine product description.

// Check for disallowed patterns (JavaScript, jQuery, and SQL)
$disallowedPatterns = array(
    '/b(?:alert|confirm|prompt)bs*([^;]*)s*;/i' => 'JavaScript code (script tag)',
    '/b(?:alert|confirm|prompt)s*([^)]*(?<!["']s*;))s*;/i' => 'JavaScript functions with parenthesis (alert, confirm, prompt)',
    '/$([^)]*).?[a-z]+/i' => 'jQuery-related patterns',
    '/b(?:select|insert|update|delete|union|where)b/i' => 'SQL keywords'
);

$codeDetected = false;
foreach ($disallowedPatterns as $pattern => $description) {
    if (preg_match($pattern, $params['propertydescription'])) {
        $codeDetected = true;
        break;
    }
}

if ($codeDetected) {
    throw new Exception("Invalid input. The description contains disallowed content: $description");
}

But somehow, this is not working 100% for me.

I want to know if I am choosing the right way or if any third-party library can check/prevent the same.

Tags:

2

Answers


  1. 0

    Just turn on XSS Filtering (application/config/config.php)

    $config['global_xss_filtering'] = TRUE;

    Or In validation like this xss_clean

    $this->form_validation->set_rules('username', 'Username', 'trim|required|xss_clean');
$this->form_validation->set_rules('email', 'Email', 'trim|required|valid_email|xss_clean');

    It will

    • Escape characters like <, >, ", ', and & are converted into their HTML entities (like &lt;, &gt;, &quot;, &#39;, and &amp;)
    • It removes or sanitizes input that contains potentially harmful scripts or tags <script>
    • etc..
    Login or Signup to reply.
  2. 0

    You can use filter_var to detect a pattern match, here is my implementation

    $disallowedPatterns = array(
        '/b(?:alert|confirm|prompt)bs*([^;]*)s*;/i' => 'JavaScript code (script tag)',
        '/b(?:alert|confirm|prompt)s*([^)]*(?<!["']s*;))s*;/i' => 'JavaScript functions with parenthesis (alert, confirm, prompt)',
        '/$([^)]*).?[a-z]+/i' => 'jQuery-related patterns',
        '/b(?:select|insert|update|delete|union|where)b/i' => 'SQL keywords'
    );

    // Sanitize and validate the input
    $params['propertydescription'] = filter_var($params['propertydescription'], FILTER_SANITIZE_STRING);
    if (empty($params['propertydescription'])) {
        throw new Exception("Invalid input. The description cannot be empty");
    }

    $codeDetected = false;
    foreach ($disallowedPatterns as $pattern => $description) {
        if (preg_match($pattern, $params['propertydescription'])) {
            $codeDetected = true;
            break;
        }
    }

    if ($codeDetected) {
        throw new Exception("Invalid input. The description contains disallowed content: $description");
    }
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search