 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / .NET Framework / General / November 2006RegEx question
Greetings, I have a troubling issue that I'm not sure how to approach at this point. Given the HTML tag (any tag will do): <div id='divSomething' onmouseover='...'>Next we write onmouseover='alert(message);' ...</div> I want to write a Regular Expression that only will search the opening div tag for the "onmouseover" text. My current expression: (<.*?(ONMOUSEOVER)\s*=.*?>) will incorrectly detect: <div id='divSomething'>Next we write onmouseover='alert(message);' ...</div> Any ideas how I can limit to only the opening tag? Thanks, Shawn > Given the HTML tag (any tag will do): > [quoted text clipped - 9 lines] > > Any ideas how I can limit to only the opening tag? The easy way to do this is to replace the the first .* with a [^>]* - "look for any number of characters that aren't the > character", instead of "look for any number of any character." That is, (<[^>]*?(ONMOUSEOVER)\s*=.*?>)  Signaturewww.midnightbeach.com/.net What you need to know. (?i)(?<=<[\w]+[^<\>=]+)(onmouseover)=(?:["']?([^"'>=]*)["']?) This regular expression will capture the entire attribute name and value. The name ("onmouseover" will be in Group 1, and the value in Group 2. SignatureHTH, Kevin Spencer Microsoft MVP Ministry of Software Development http://unclechutney.blogspot.com Never trust a dunderhead with a blunderbuss. >> Given the HTML tag (any tag will do): >> [quoted text clipped - 17 lines] > > (<[^>]*?(ONMOUSEOVER)\s*=.*?>) > (?i)(?<=<[\w]+[^<\>=]+)(onclick)=(?:["']?([^"'>=]*)["']?) > > This regular expression will capture the entire attribute name and value. > The name ("onmouseover" will be in Group 1, and the value in Group 2. Using Regulator, the above expression does not work on the following test cases: <SCRIPT NAME=Happy VALUE='happier' ATTR="happiest" onClick='dosomething();'>CONENT</SCRIPT> <SCRIPT name=ha onclick = 'asdf'>asdf</SCRIPT> <tag>var x = asdf.onclick="";</tag> It should detect #1 and #2 but ignore #3 Thanks, Shawn I don't have the original question you asked, and I'm not sure you specified what the rules should be. Neither do I have the original Regular Expression I posted for you. The one you posted is modified. So, I can't tell you what rules I assumed for those which were not provided, nor can I tell you whether the change you made to the regular expression has anything to do with it. Therefore, I went back into my personal library, and found a Regular Expression I once created for another project, which identifies all attribute names and values (in 2 groups) in a block of HTML text. The original was this, to capture *all* attribute names and values: (?i)\s+(?:(\w+)=(?:["']?([^"'>=]*)["']?)(?=\s|/?>)|\s*(?=\s|/?>)) The first group is defined by the sequence: (\w+) (any sequence of one or more alpha-numeric characters). I replaced that with the following: (?i)\s+(?:(onclick)=(?:["']?([^"'>=]*)["']?)(?=\s|/?>)|\s*(?=\s|/?>)) This will only capture attributes with a name of "onclick" (case-insensitive) Upon testing it with your script sample below, it correctly identified only ONE of the attributes, the first one. The reason it didn't identify the second one you said that it should is that the second one is not correct syntactically. In HTML, the '=' character in an attribute may not be preceded or followed by any spaces. SignatureHTH, Kevin Spencer Microsoft MVP Logostician http://unclechutney.blogspot.com Parabola is a mate of plane. >> (?i)(?<=<[\w]+[^<\>=]+)(onclick)=(?:["']?([^"'>=]*)["']?) >> [quoted text clipped - 13 lines] > Thanks, > Shawn Kevin, thanks for your reply. Actually, I'm trying to look for cross site scripting vulnerabilities on input fields. While the '=' preceded or superceded by a space isn't valid html, the browser (IE) will still render it and treat it the same, and it is a perfectly valid detection evasion technique. The expression you provided actually still allows a few false positives to go through on our system but I did find an express that works flawlessly: (<[^>]*?(ONMOUSEOVER)\s*=.*?>) This expression catches every one of our known vulnerabilities and does not catch any of our known false positives. However, I'll take a closer look at your expression and figure out if we can adapt it to other parts of our scanning engine. Thanks, Shawn >I don't have the original question you asked, and I'm not sure you >specified what the rules should be. Neither do I have the original Regular [quoted text clipped - 44 lines] >> Thanks, >> Shawn My pleasure, Shawn. As always, figuring out the business rules is the hardest part! SignatureHTH, Kevin Spencer Microsoft MVP Logostician http://unclechutney.blogspot.com Parabola is a mate of plane. > Kevin, thanks for your reply. Actually, I'm trying to look for cross site > scripting vulnerabilities on input fields. While the '=' preceded or [quoted text clipped - 62 lines] >>> Thanks, >>> Shawn Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.