 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / General / October 2007Displaying User-Supplied String
Okay, I have a site that displays information based on user input, a couple of the items are plain strings that the user entered. I understand the risk here is that they could insert javascript or whatever in their string and, when my page displays it, that script could be executed. What is the best approach for preventing that? Thanks. Jonathan > Okay, I have a site that displays information based on user input, a > couple of the items are plain strings that the user entered. [quoted text clipped - 4 lines] > > What is the best approach for preventing that? Are you talking about SQL Injection i.e. the strings supplied by the users are used to look up records in a database? If so, you need to use parameterised queries or stored procedures. Google "SQL injection"  SignatureMark Rae ASP.NET MVP http://www.markrae.net Hello Mark Rae [MVP], >> Okay, I have a site that displays information based on user input, a >> couple of the items are plain strings that the user entered. [quoted text clipped - 11 lines] > > Google "SQL injection" There's more than SQL injection at work here. apart from SQL injection there is the risk of cross site scripting as the original poster correctly identified. Best way to prevent that is to call Server.HTMLEncode on each field before displaying it. I usually don't encode the data before putting it into the database as the data migth be used in a non-web environment as well (reporting, windows client etc). So encode before displaying. -- Jesse Houwing jesse.houwing at sogeti.nl Right. I tested it by surrounding my input with <b> and </b>. To my surprise, it causes an unhandled exception: A potentially dangerous Request.Form value was detected from the client (ctl00$ContentPlaceHolder1$description="<b>Property1</b>"). Not sure yet where the error is being thrown from exactly, but I'm looking into it. Jonathan > Hello Mark Rae [MVP], > [quoted text clipped - 26 lines] > Jesse Houwing > jesse.houwing at sogeti.nl Hello Jonathan, > Right. I tested it by surrounding my input with <b> and </b>. To my > surprise, it causes an unhandled exception: A potentially dangerous [quoted text clipped - 3 lines] > Not sure yet where the error is being thrown from exactly, but I'm > looking into it. By default any input containing either a piece of javascript code or a html tag will be rejected by ASP.NET from versin 1.1 and higher. You can switch this automatic validation off from the web.config or the page directive of teh aspx file in question: http://www.cryer.co.uk/brian/mswinswdev/ms_vbnet_server_error_potentially_danger ous.htm Jesse >> Hello Mark Rae [MVP], >> [quoted text clipped - 27 lines] >> Jesse Houwing >> jesse.houwing at sogeti.nl -- Jesse Houwing jesse.houwing at sogeti.nl Yup. I definitely want to do 2. but just wasn't get that far. Thanks. Jonathan > Hello Jonathan, > [quoted text clipped - 50 lines] > Jesse Houwing > jesse.houwing at sogeti.nl > Right. I tested it by surrounding my input with <b> and </b>. To my > surprise, it causes an unhandled exception: A potentially dangerous > Request.Form value was detected from the client > (ctl00$ContentPlaceHolder1$description="<b>Property1</b>"). Yes, that is ASP.NET's standard response to this sort of thing... By default, it considers posting of HTML as *potentially* dangerous, as Jesse correctly explained... You have several options here, depending on what you're trying to do... Can you explain a bit more about what is and, more importantly, what is not valid data in this case... SignatureMark Rae ASP.NET MVP http://www.markrae.net Mark, >> Right. I tested it by surrounding my input with <b> and </b>. To my >> surprise, it causes an unhandled exception: A potentially dangerous [quoted text clipped - 9 lines] > Can you explain a bit more about what is and, more importantly, what is > not valid data in this case... It's a very simple site (http://www.rentalprofitcalc.com). Visitors enter several data fields. I then do a postback to a different page. That other page examines the fields, performs calculations on some of them, and creates a report. Some fields, such as the property and loan names, are simply strings that are displayed as is (there is no invalid value). My background is native programming. Here, the error seems to occur when the first page is submitted which doesn't involve any of my code. So I'm not sure how I'm supposed to trap it. BTW, I tried the same thing (<b> and </b> in the property Description field) when the app is running online and it still causes an error but does not display the details. Thanks. Jonathan >> Can you explain a bit more about what is and, more importantly, what is >> not valid data in this case... > > It's a very simple site (http://www.rentalprofitcalc.com). Visitors enter > several data fields. I then do a postback to a different page. Any particular reason that you postback to a different page, AAMOI...? > That other page examines the fields, performs calculations on some of > them, and creates a report. Some fields, such as the property and loan > names, are simply strings that are displayed as is (there is no invalid > value). There doesn't appear to be any validation at all - e.g. it's possible to enter "Hello" in the purchase price... My advice would be to fix that first... > BTW, I tried the same thing (<b> and </b> in the property Description > field) when the app is running online and it still causes an error but > does not display the details. Obviously the absolute last thing you want to do in a live site is actually display an error to the user... Instead, capture the error with proper exception handling, email yourself the error and all its metadata, redirect the user to a friendly page where you apologise that something has gone wrong and, depending on what the error actually was, advise them how to proceed... SignatureMark Rae ASP.NET MVP http://www.markrae.net I recommend you use Microsoft's free Anti Cross Site Scripting Library: http://msdn2.microsoft.com/en-us/security/aa973814.aspx SignatureI hope this helps, Steve C. Orr, MCSD, MVP, CSM, ASPInsider http://SteveOrr.net > Okay, I have a site that displays information based on user input, a > couple of the items are plain strings that the user entered. [quoted text clipped - 8 lines] > > Jonathan Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.