Re: Displaying User-Supplied String

Yup. I definitely want to do 2. but just wasn't get that far.

Thanks.

Jonathan

"Jesse Houwing" <jesse.houwing@xxxxxxxxxxxxxxxx> wrote in message news:21effc90206518c9d43d181662ea@xxxxxxxxxxxxxxxxxxxxx
Hello Jonathan,

Right. I tested it by surrounding my input with <b> and </b>. To my
surprise, it causes an unhandled exception: A potentially dangerous
Request.Form value was detected from the client
(ctl00$ContentPlaceHolder1$description="<b>Property1</b>").

Not sure yet where the error is being thrown from exactly, but I'm
looking into it.

By default any input containing either a piece of javascript code or a html tag will be rejected by ASP.NET from versin 1.1 and higher.

You can switch this automatic validation off from the web.config or the page directive of teh aspx file in question:

http://www.cryer.co.uk/brian/mswinswdev/ms_vbnet_server_error_potentially_dangerous.htm

Jesse

"Jesse Houwing" <jesse.houwing@xxxxxxxxxxxxxxxx> wrote in message
news:21effc90205bd8c9d43b6960ffef@xxxxxxxxxxxxxxxxxxxxx

Hello Mark Rae [MVP],

"Jonathan Wood" <jwood@xxxxxxxxxxxxxxxx> wrote in message
news:OqKJvmgBIHA.5868@xxxxxxxxxxxxxxxxxxxxxxx

Okay, I have a site that displays information based on user input,
a couple of the items are plain strings that the user entered.

I understand the risk here is that they could insert javascript or
whatever in their string and, when my page displays it, that script
could be executed.

What is the best approach for preventing that?

Are you talking about SQL Injection i.e. the strings supplied by the
users are used to look up records in a database?

If so, you need to use parameterised queries or stored procedures.

Google "SQL injection"

There's more than SQL injection at work here. apart from SQL
injection there is the risk of cross site scripting as the original
poster correctly identified. Best way to prevent that is to call
Server.HTMLEncode on each field before displaying it. I usually don't
encode the data before putting it into the database as the data migth
be used in a non-web environment as well (reporting, windows client
etc).

So encode before displaying.

--
Jesse Houwing
jesse.houwing at sogeti.nl
--
Jesse Houwing
jesse.houwing at sogeti.nl



.

Relevant Pages

  • Re: Displaying User-Supplied String
    ... Request.Form value was detected from the client ... Are you talking about SQL Injection i.e. the strings supplied by the ... Jesse Houwing ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: PHP filter function against SQL injections
    ... If you're using strings you should also decode them from embedded url encoded data with urldecodee.g., ... If you're accepting a string, for example, only allow valid characters to be placed in the form field. ... but since this filter function is part of a review I'm doing at the moment, I was asking the question about a possible SQL injection attack. ...
    (Security-Basics)
  • Re: Displaying User-Supplied String
    ... Are you talking about SQL Injection i.e. the strings supplied by the ... I usually don't encode the data before putting it into the database as the data migth be used in a non-web environment as well ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Displaying User-Supplied String
    ... Are you talking about SQL Injection i.e. the strings supplied by the ... apart from SQL injection there is the risk of cross site scripting as the original poster correctly identified. ... I usually don't encode the data before putting it into the database as the data migth be used in a non-web environment as well ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: SQL Injection Strings
    ... Subject: SQL Injection Strings ... a' waitfor delay '0:0:10'-- ...
    (Pen-Test)