Re: Displaying User-Supplied String

Hello Jonathan,

Right. I tested it by surrounding my input with <b> and </b>. To my
surprise, it causes an unhandled exception: A potentially dangerous
Request.Form value was detected from the client
(ctl00$ContentPlaceHolder1$description="<b>Property1</b>").

Not sure yet where the error is being thrown from exactly, but I'm
looking into it.

By default any input containing either a piece of javascript code or a html tag will be rejected by ASP.NET from versin 1.1 and higher.

You can switch this automatic validation off from the web.config or the page directive of teh aspx file in question:

http://www.cryer.co.uk/brian/mswinswdev/ms_vbnet_server_error_potentially_dangerous.htm

Jesse

"Jesse Houwing" <jesse.houwing@xxxxxxxxxxxxxxxx> wrote in message
news:21effc90205bd8c9d43b6960ffef@xxxxxxxxxxxxxxxxxxxxx

Hello Mark Rae [MVP],

"Jonathan Wood" <jwood@xxxxxxxxxxxxxxxx> wrote in message
news:OqKJvmgBIHA.5868@xxxxxxxxxxxxxxxxxxxxxxx

Okay, I have a site that displays information based on user input,
a couple of the items are plain strings that the user entered.

I understand the risk here is that they could insert javascript or
whatever in their string and, when my page displays it, that script
could be executed.

What is the best approach for preventing that?

Are you talking about SQL Injection i.e. the strings supplied by the
users are used to look up records in a database?

If so, you need to use parameterised queries or stored procedures.

Google "SQL injection"

There's more than SQL injection at work here. apart from SQL
injection there is the risk of cross site scripting as the original
poster correctly identified. Best way to prevent that is to call
Server.HTMLEncode on each field before displaying it. I usually don't
encode the data before putting it into the database as the data migth
be used in a non-web environment as well (reporting, windows client
etc).

So encode before displaying.

--
Jesse Houwing
jesse.houwing at sogeti.nl
--
Jesse Houwing
jesse.houwing at sogeti.nl


.

Relevant Pages

  • Re: Displaying User-Supplied String
    ... "Jesse Houwing" wrote in message ... Are you talking about SQL Injection i.e. the strings supplied by the ... encode the data before putting it into the database as the data migth ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: PHP filter function against SQL injections
    ... If you're using strings you should also decode them from embedded url encoded data with urldecodee.g., ... If you're accepting a string, for example, only allow valid characters to be placed in the form field. ... but since this filter function is part of a review I'm doing at the moment, I was asking the question about a possible SQL injection attack. ...
    (Security-Basics)
  • Re: String concatenation function, request for comments.
    ... >> left to the client. ... If the resultant buffer is needed beyond the second ... >> If the strings specified for concatenation exceed the buffer available, ... > This demonstrates a fragility of the interface. ...
    (comp.lang.c)
  • Re: SQL Injection prevention
    ... >company than a hosting company. ... this client is a long time client of ... >danger to my sites/DB's on the server. ... >do sql injection and therefor concerned about the site going live on my ...
    (microsoft.public.sqlserver.security)
  • Re: Encoding issues with literal strings (C++)
    ... The client runs on Windows and is written ... have many messages that the server sends that include characters ... Some of these messages come from literal strings, ... the a with acute accent has the code 0xE1; ...
    (comp.os.linux.development.apps)