I've got some source code that has some cross site scripting vulnerabilities in it. There is no input validation that happens when the browser sends data over to the server which is executing server-side Javascript and classic ASP (IIS 7.0).
My question is, is there a way to override the Request.Form("foo") object/method so that I can call a sanitization function too and get rid of prohibited JS/HTML? I don't want to do a find and replace on every single file everywhere Request.Form is called. I was hoping for something more elegant.
Any suggestions are appreciated.
I don't think you can change Request.Form members.
What you can do, as a partial solution, is to create a code that will run first on every page (for example, using an include directive) which loops over Request.Form, Request.QueryString etc., and if it finds suspected code, it terminates the code execution (Response.End). This solution is partial because it doesn't really sanitize input, it just drops execution when it finds suspected text.
Another option: Create an array, parallel to Request.Form. Populate this array with the same members as in Request.Form, but this time sanitized. Then, quickly do a Find-and-Replace over your whole code base, and change Request.Form to your custom array variable.