<% '============================================================================= ' FILE: encoding.asp ' PURPOSE: Output encoding functions to prevent XSS attacks ' CREATED: 2025-10-10 '============================================================================= '----------------------------------------------------------------------------- ' FUNCTION: JavaScriptEncode ' PURPOSE: Encodes string for safe use in JavaScript context ' PARAMETERS: ' str (String) - String to encode ' RETURNS: String - JavaScript-safe encoded string '----------------------------------------------------------------------------- Function JavaScriptEncode(str) If IsNull(str) Or str = "" Then JavaScriptEncode = "" Exit Function End If Dim result result = CStr(str) result = Replace(result, "\", "\\") result = Replace(result, "'", "\'") result = Replace(result, """", "\""") result = Replace(result, vbCrLf, "\n") result = Replace(result, vbCr, "\n") result = Replace(result, vbLf, "\n") result = Replace(result, vbTab, "\t") JavaScriptEncode = result End Function '----------------------------------------------------------------------------- ' FUNCTION: SQLEncode ' PURPOSE: Basic SQL string escaping (use parameterized queries instead!) ' PARAMETERS: ' str (String) - String to encode ' RETURNS: String - SQL-escaped string ' NOTES: This is a fallback - ALWAYS prefer parameterized queries '----------------------------------------------------------------------------- Function SQLEncode(str) If IsNull(str) Or str = "" Then SQLEncode = "" Exit Function End If SQLEncode = Replace(CStr(str), "'", "''") End Function '----------------------------------------------------------------------------- ' FUNCTION: JSONEncode ' PURPOSE: Encodes string for safe use in JSON ' PARAMETERS: ' str (String) - String to encode ' RETURNS: String - JSON-safe encoded string '----------------------------------------------------------------------------- Function JSONEncode(str) If IsNull(str) Or str = "" Then JSONEncode = "" Exit Function End If Dim result result = CStr(str) result = Replace(result, "\", "\\") result = Replace(result, """", "\""") result = Replace(result, "/", "\/") result = Replace(result, vbCr, "") result = Replace(result, vbLf, "\n") result = Replace(result, vbTab, "\t") result = Replace(result, Chr(8), "\b") result = Replace(result, Chr(12), "\f") result = Replace(result, Chr(13), "\r") JSONEncode = result End Function '----------------------------------------------------------------------------- ' FUNCTION: StripHTML ' PURPOSE: Removes all HTML tags from a string ' PARAMETERS: ' str (String) - String to strip ' RETURNS: String - String with HTML removed '----------------------------------------------------------------------------- Function StripHTML(str) If IsNull(str) Or str = "" Then StripHTML = "" Exit Function End If Dim objRegEx Set objRegEx = New RegExp objRegEx.Pattern = "<[^>]+>" objRegEx.Global = True objRegEx.IgnoreCase = True StripHTML = objRegEx.Replace(CStr(str), "") Set objRegEx = Nothing End Function '----------------------------------------------------------------------------- ' FUNCTION: TruncateString ' PURPOSE: Safely truncates a string to specified length ' PARAMETERS: ' str (String) - String to truncate ' maxLength (Integer) - Maximum length ' addEllipsis (Boolean) - Whether to add "..." at end ' RETURNS: String - Truncated string '----------------------------------------------------------------------------- Function TruncateString(str, maxLength, addEllipsis) If IsNull(str) Or str = "" Then TruncateString = "" Exit Function End If Dim result result = CStr(str) If Len(result) <= maxLength Then TruncateString = result Else If addEllipsis Then TruncateString = Left(result, maxLength - 3) & "..." Else TruncateString = Left(result, maxLength) End If End If End Function '----------------------------------------------------------------------------- ' FUNCTION: SanitizeFilename ' PURPOSE: Removes dangerous characters from filenames ' PARAMETERS: ' filename (String) - Filename to sanitize ' RETURNS: String - Safe filename '----------------------------------------------------------------------------- Function SanitizeFilename(filename) If IsNull(filename) Or filename = "" Then SanitizeFilename = "" Exit Function End If Dim result, objRegEx result = CStr(filename) ' Remove path traversal attempts result = Replace(result, "..", "") result = Replace(result, "/", "") result = Replace(result, "\", "") result = Replace(result, ":", "") ' Remove other dangerous characters Set objRegEx = New RegExp objRegEx.Pattern = "[<>:""|?*]" objRegEx.Global = True result = objRegEx.Replace(result, "") Set objRegEx = Nothing SanitizeFilename = result End Function %>