'***********************************************************************************
' Script Name: IIS_Clean_Input_Data.vbs
' Version: 1.0
' Author: Jason Fossen, Enclave Consulting LLC
'Last Updated: 7/19/01
' Purpose: Examples of functions which can be pasted into ASP pages
' to clean user input of dangerous data.
' Usage: Modify and paste into ASP pages which process user input.
' Notes: Install latest WSH and Service Pack on IIS!
' Keywords: IIS, ASP, regular expression, RegExp, clean, validate
' Legal: 0BSD.
' Script provided "as is" without implied warranty or guarantee. Use
' at your own risk and only on networks with prior written permission.
'***********************************************************************************
On Error Resume Next
'***********************************************************************************
' Function Name: CleanOutHTML()
' Purpose: Removes all HTML tags from input string.
' Returns: Input string minus HTML tagged content.
'***********************************************************************************
Function CleanOutHTML(sInput)
If Not IsObject(oRegExp) Then Set oRegExp = New RegExp
oRegExp.Global = True
oRegExp.MultiLine = True 'This require WSH 5.1 or later.
oRegExp.Pattern = "<.*?>" 'The ? makes it non-greedy.
CleanOutHTML = oRegExp.Replace(sInput,"") 'Replace matches with nothing, i.e., delete matches.
End Function
'***********************************************************************************
' Function Name: CleanOutDangerousChars()
' Purpose: Removes all single dangerous characters from input string.
' Where dangerous includes " ' < > % ; ) ( & + |
' \x22 and \x27 are for the singlequote and doublequote characters.
' Returns: Input string minus chars.
'***********************************************************************************
Function CleanOutDangerousChars(sInput)
If Not IsObject(oRegExp) Then Set oRegExp = New RegExp
oRegExp.Global = True
oRegExp.MultiLine = True
oRegExp.Pattern = "\<|\>|\%|\;|\)|\(|\&|\+|\\|\x22|\x27"
CleanOutDangerousChars = oRegExp.Replace(sInput,"")
End Function
'***********************************************************************************
' Function Name: CleanOutDangerousWords()
' Purpose: Removes dangerous words from a query string.
' Where dangerous includes "select", "insert", "update"
' "from", "where" and "cmd.exe". Modify as needed.
' Returns: Input string minus keywords.
'***********************************************************************************
Function CleanOutDangerousWords(sInput)
If Not IsObject(oRegExp) Then Set oRegExp = New RegExp
oRegExp.Global = True
oRegExp.MultiLine = True
oRegExp.IgnoreCase = True
oRegExp.Pattern = "select|insert|update|from|where|cmd\.exe|tftp\.exe"
CleanOutDangerousWords = oRegExp.Replace(sInput,"")
End Function
'***********************************************************************************
' Function Name: CleanOutTextAfterPipe()
' Purpose: Removes all text after the first pipe "|" symbol.
' Note: This is Michael Howard's example (MS) and it also nicely
' demonstrates the use of a backreference, "$1".
' Returns: Input string minus everything after first "|".
'***********************************************************************************
Function CleanOutTextAfterPipe(sInput)
If Not IsObject(oRegExp) Then Set oRegExp = New RegExp
oRegExp.Pattern = "^(.+)\|(.+)" 'Parentheses are need to store match for backreference.
CleanOutTextAfterPipe = oRegExp.Replace(sInput,"$1") '$1 references to first stored match.
End Function
'END OF SCRIPT *********************************************************************
'The following merely demonstrates the functions.
sTest = "Hello World! Click Here!"
WScript.Echo CleanOutHTML(sTest)
sTest2 = "Helo W%o;rl)d! H(o&w ar'e y\ou\?"
WScript.Echo CleanOutDangerousChars(sTest2)
sTest3 = "cmd.exeHello WSELECTorld! Having selectaInSert niFROMce WhereduPdAtEay?"
WScript.Echo CleanOutDangerousWords(sTest3)
sTest4 = "Hello World!|The time has come for Ragnarok!"
WScript.Echo CleanOutTextAfterPipe(sTest4)