Could my forms be hacked.

Posted by Mike Sandman on Stack Overflow See other posts from Stack Overflow or by Mike Sandman
Published on 2010-04-19T11:22:20Z Indexed on 2010/04/19 11:23 UTC
Read the original article Hit count: 320

Filed under:
|
|

Hi there, I posted a question yesterday, which I intend to get back to today however I wrote some JavaScript as a first line of prevention against XSS. However when testing this on my live server I catch some invalid input as the javascript catches the php section. My form uses post and php isn't in my form items (i haven't typed it in). Could this be picking up the form action or something? I'm baffeled, Any ideas

Here is my code, it is triggered on the submit button.

function validateForBadNess(){

var theShit = new Array("*","^", "$", "(",")","{", "}","[", "]","\", "|", "'","/","?",",","=",">","gt","lt", "<","script","`","´","php"); var tagName = new Array();

tagName[0] = "input"; tagName[1] = "select"; tagName[2] = "textbox"; tagName[3] = "textarea";

for (ms=0;ms

// loop through the elements of the form var formItems = document.getElementsByTagName(tagName[ms]);

for (var xs=0;xs

var thisString = formItems[xs].value;

// loop through bad array for (zs in theShit){

//alert(thisString + " " + thisString.indexOf(theShit[zs]))
if(thisString.indexOf(theShit[zs]) >= 0){

alert("Sorry but the following character: " + theShit[zs] + " is not permitted. Please omit it from your input.\nIf this is part of your password please contact us to heave your password reset.")
return false;

}

 }

// loop for formitems }

// tagName toop } // original condition }

© Stack Overflow or respective owner

Related posts about hacking

Related posts about JavaScript