Desktop User Guides > Professional > Interview scripting > Writing interview scripts > Dealing with errors > Preventing cross-site scripting in text responses
 
Preventing cross-site scripting in text responses
Cross-site scripting (XSS) is a means of running code from one computer on another computer. It is sometimes used maliciously, either to obtain information from another computer or to change a computer’s settings. In interviews, questions with text responses provide an easy entry point for cross-site scripting because they generally accept anything that the respondent types.
One way of preventing cross-site scripting is to validate everything that the respondent types and to reject anything that does not contain characters that you deem to be valid in the response. The most common requirement is to reject responses that contain HTML tags because these could be used for introducing executable code into the response.
The interview scripting language provides the AllowXHTML option for you to specify whether or not HTML codes are acceptable in text. This option is False for all questions with text responses, so you should not normally need to do anything to prevent cross-site scripting. If you want to allow respondents to include HTML tags in their responses, set this option to True as follows:
Name.Validation.Options["AllowXHTML"] = True
where Name is the name of a question with a text response.
If you set AllowXHTML to True you should write your own custom validation function to check respondents' answers.
To see how this works, suppose you have the following questions in your script.
FirstName "What is your first name?" text;
LastName "What is your last name?" text;... other questions
Thanks "Thank you, {YourName}, for helping with our survey."
info;
and the routing section contains:
FirstName.Validation.Options["AllowXHTML"] = True
FirstName.Ask()
LastName.Validation.Options["AllowXHTML"] = False
LastName.Ask()...ask other questions ...
Thanks.Label.Inserts["YourName"] = FirstName.Response.Value
Thanks.Show()
Respondents will be able to enter anything as their first name, including HTML tags, whereas last names containing HTML tags will be rejected. If the respondent has entered HTML tags at FirstName, any scripting code inside those tags is executed when the Thanks message is displayed. If the code is malicious your system is at risk.
Disallowing HTML tags in response texts does not extend cases where you set the response to a text containing HTML characters in the routing section of the script. In the following example, respondents can enter anything they like as their profession as long as it does not contain HTML tags. However, anyone who does not answer the question will have their profession shown as “Not given” in bold regardless of the value of AllowXHTML:
Profession.MustAnswer = False
Profession.Ask()
If Profession.Response.Value = Null Then
Profession.Response.Value = "<b>Not given</b>"
End If
ConfirmProf.Label.Inserts["Prof"] = Profession.Response.Value
ConfirmProf.Ask()
See also
Dealing with errors