Basically i want to strip out all javascript. But ive never used regular expressions in asp.net so has anyon egot any good examples or tutorials?

Thanks, Mart.

Ah... how timely...

I'm in the middle of writing a VB.NET application and the following function is to strip markup. (The app is for doing regular expressions a bit better than the others I've seen. So far it's NOT  . I'll get it there though.)

I'm not quite done, but I would REALLY like to get a couple beta testers for it if anyone is interested. Actually, I was going to post in a few days for beta testers... It requires the .NET framework.

Hopefully this can at least point you in the right direction.

    Private Function removeMarkup(ByVal theBox) As Boolean
        Dim strMarkUp1 As String
        Dim strMarkUp2 As String
        Dim strMarkUp3 As String
        Dim strMarkUp8 As String

        strMarkUp1 = "(<script[^>]*>[\w|\t|\r|\W]*</script>)"
        strMarkUp2 = "(<style[^>]*>[\w|\t|\r|\W]*</style>)"
        strMarkUp3 = "(<object[^>]*>[\w|\t|\r|\W]*</object>)"
        strMarkUp8 = "(<[^<]+>)"

        Try

             ' need to set the multiline option
             Dim rmvOpts As New RegexOptions()

             rmvOpts = RegexOptions.Singleline
             rmvOpts = rmvOpts Or RegexOptions.Multiline
             rmvOpts = rmvOpts Or RegexOptions.IgnoreCase

             theBox.text = Regex.Replace(theBox.text, strMarkUp1, " " & vbCrLf, rmvOpts)
             theBox.text = Regex.Replace(theBox.text, strMarkUp2, " " & vbCrLf, rmvOpts)
             theBox.text = Regex.Replace(theBox.text, strMarkUp3, " " & vbCrLf, rmvOpts)

             theBox.text = Regex.Replace(theBox.text, strMarkUp8, " ", rmvOpts)

        Catch exp As Exception
             MsgBox("We encountered and error: " & exp.Message, MsgBoxStyle.Critical, Me.Text)
        End Try

    End Function

Thanks alot thats helped me. I wouldnt mind beta testing for you.

Thanks, Mart.

Mart, i am going to take a guess that you are going to "AllowHTMLMode" on FreeTextBox for whatever this is for...

keep in mind that you also need to look out for random closing tags like </tr> and </table> in which a member could totally hork the outputted HTML....

i'd suggest not ever ever alllowing HTML entry unless you (1) trust them and (2) they know what the hell they are doing

besides, that RegEx shown above has holes in it..... look at -borg-'s replace code in the forum code for this to see more extensive removal of script kiddies

I think it is better to just replace the < and > with &lt; and &gt;.

This way ALL the code entered in the textbox will not be visible for the server, and will show up just like in the [ code ] tags at WWF I guess.

Unless you REALLY want the user to put HTML code in it. BTW, the framework has a feature for this, which you can set at the top of the page (in the header) like this:

<%@ validateRequest=true %>

Im keeping AllowHTMLMode False, but this morning i managed to insert a javascript by copy and pasting it into design mode. and its for a forum im writing in asp.net so i have to trust them I will look at the replace functions then.

Thanks, Mart.

R U sure?

EDIT: What a useless question...

No youve obiously misunderstood me, i want them to be able to use html but not insert malicious javascripts.

Mart.

Alright. BTW you could load the message in an iframe, and avoid the danger of the </tr> commands.

Actually you didnt i found a better solution

If i put all the post in seperate tables like this:

it will prevent vicious </tr>'s wont it?

Mart wrote: Thanks alot thats helped me. I wouldnt mind beta testing for you. Thanks, Mart.

Glad it was useful.

I'd really appreciate some feedback if you want to beta test. The current build is at http://deleteme.info/dm.zip - http://deleteme.info/dm.zip . But in all fairness, it isn't finished, although it is (almost) stable. (It doesn't handle bad expressions at the moment - I still have to handle errors for bad reg exs.) Beta at the moment. And it looks ugly too. And it's mother dresses it funny... etc... You need the .NET framework for it to run. Just unzip and run FileManipulator.exe. I'm still working on the networking functionality.

Mart wrote: Actually you didnt i found a better solution If i put all the post in seperate tables like this: it will prevent vicious </tr>'s wont it?

No it won't . You'll still be able to use </table> and close the whole table.. Or some other things like </html> or </body> or <a> or whatever. When a user doesn't close the tags, the same thing happens.

its ok anyway, i can just edit the html parsing function i wrote

I dont trust you. You can wait till ive got rid of every security risk i can think of

 He doesn't trust me... bleeeeh.

Ooops...

Yeah, I reinstalled that server completely and never took the time to clean up the web server on it. (My ISP blocks port 80.)

Works now with this: http://www.bfsolutions.com/dm.zip - http://www.bfsolutions.com/dm.zip

Sorry about that.

Mart wrote: The page cannot be displayed The page you are looking for is currently unavailable. The Web site might be experiencing technical difficulties, or you may need to adjust your browser settings. Please try the following: Click the Refresh button, or try again later. If you typed the page address in the Address bar, make sure that it is spelled correctly. To check your connection settings, click the Tools menu, and then click Internet Options. On the Connections tab, click Settings. The settings should match those provided by your local area network (LAN) administrator or Internet service provider (ISP). If your Network Administrator has enabled it, Microsoft Windows can examine your network and automatically discover network connection settings. If you would like Windows to try and discover them, click Detect Network Settings Some sites require 128-bit connection security. Click the Help menu and then click About Internet Explorer to determine what strength security you have installed. If you are trying to reach a secure site, make sure your Security settings can support it. Click the Tools menu, and then click Internet Options. On the Advanced tab, scroll to the Security section and check settings for SSL 2.0, SSL 3.0, TLS 1.0, PCT 1.0. Click the javascript history.back1"> Back button to try another link. Cannot find server or DNS Error Internet Explorer

Is it meant for searching files?

It's for searching files and returning result sets. Ideally, I'd like to make it usable for 'humans', because regular expressions are not exactly useful for most people. Hence the minor presets available... 'word', 'space', etc. The interface is horrid, but I'm still learning VB.NET, so I'm trying to get the basic functionality first. The primary use will be for teachers who teach languages to non-native speakers, so that they can quickly get examples of grammar structures.

Later, I'll have it store the result sets in a database so that they can be reused.  

http://deleteme.info:64646/dm.zip - http://deleteme.info:64646/dm.zip

That should work... I really need to get another server...