1

I have a web site where users allowed to enter javascript in order to comute some values. This script can be random and gets executed on serer side. I would like to perform some sort of validation in order to limit it only to "safe" functionality.

What I have came up so far is 1. Limit to single line of code, no \r\n allowed. 2. Do not allow "http", "//", "\", "include", "require" to appear

What else should I check in order to prevent crooks from executing random stuff on my backend?

Thank you.

Evgeny.

Improve this question
7
  • "h" + "ttp:" + "/" + "/" Commented Aug 22, 2015 at 9:13
  • 2
    A blacklist will never be secure. If your requirements are simple, consider using one of the multitude of custom language parsers available, where you can explicitly define what the language is allowed to do. Commented Aug 22, 2015 at 9:14
  • Right... Main purpose is math. so maybe I can whitelist it instead to Math operations and conversions.. Commented Aug 22, 2015 at 9:17
  • Whitelisting is better, but if you just need maths that's even more reason to use a specially-designed parser. You can get maths out-of-the-box in most of them. google.co.uk/?q=javascript+math+parser Commented Aug 22, 2015 at 9:19
  • Ok, backend is .NET, do you know any good ones? Commented Aug 22, 2015 at 9:21
Load 7 more related questions Show fewer related questions

0

Reset to default

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.