Friday, January 13, 2012

Replacing special characters like dots in javascript


I have a search query from the user and I want to process it before applying to browser. since I'm using SEO with htaccess and the search url looks like this : /search/[user query] I should do something to prevent user from doing naughty things.. :) Like searching ../include/conf.php which will result in giving away my configuration file. I want to process the query like removing spaces, removing dots(which will cause problems), commas,etc. 





var q = document.getElementById('q').value;

var q = q.replace(/ /gi,"+");

var q = q.replace(/../gi,"");

document.location='search/'+q;


the first replace works just fine but the second one messes with my query.. any solution to replacing this risky characters safely?

Post by On
Tags , , , ,

4 comments:

  1. UserJanuary 13, 2012 at 9:39 PM

    So if I disable JavaScript or use curl I still can do "naughty things"? On the client side do the sanity escaping with:

    encodeURIComponent(document.getElementById('q').value)


    and leave security checks to the server. You would be amazed what malicious user can do (using some escape sequences instead of plain . is the simplest example).

    ReplyDelete
  2. UserJanuary 13, 2012 at 9:39 PM

    I'd do this server-side - it's too easy for someone to alter your JS in the page or switch it off altogether. Your search script that runs server-side can't (as) easily be tampered with and can then filter the search consistently.

    You might also want to restrict what the search returns... if it's able to show sensitive config files, your search may have a little too much reach.

    ReplyDelete
  3. UserJanuary 13, 2012 at 9:39 PM

    Dots in regular expressions match anything. You need to escape them with a back-slash ('\'):

    var q = q.replace(/\.\./gi,"");

    ReplyDelete
  4. UserJanuary 13, 2012 at 9:39 PM

    I should do something to prevent user from doing naughty things.. :) Like searching ../include/conf.php which will result in giving away my configuration file.


    If this is the case, your website is in danger. Because sending http request doesn't need javascript. I can use curl, wget etc to get pass your JS sanity check. Do the sanity check on server side.

    About SEO friendly GET form. Just do the following.

    var q = document.getElementById('q').value;
    document.location='search/'+q;


    characters are automatically handled by browser. You dont need to worry about it. And about accessing files in parent directories, See this question how-do-i-know-if-a-file-exists-in-the-current-directory-tree

    ReplyDelete

Subscribe to: Post Comments (Atom)