 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / .NET Framework / Security / September 2004Escape html tags and other dangerous input
I have an application that stores user input via a text box. The text box lets user enter their hobby, which can then be viewed in their page by others. This hobby is linked by the application so that it searches the database for other users who have the same hobby. The search string is displayed as: <a href="http://www.domain.com/search.aspx?hobby=WHATEVER">WHATEVER</a> The problem comes when the users inputs something invalid like "&". This is obviously interpreted by the server as another variable, and can mess things up when a viewing user clicks on the link, since the search engine does take on other fields too. Another would be if the user tries to inject html tags like "><THEIR HTML>". This would mess up the remainder of the page obviously. What is the best way to filter out such nasty input? There may also be others that I'm unaware of. I'm taking care of SQL injection by using a parametized sql queries. Are there library functions I can just use or do I have to do this manually? To prevent this kind of injection attack, I would validate the user input and disallow the offending characters. If you were not using it in a hyperlink, I would suggest HTML Encoding it, as that would prevent the HTML injection, but that doesn't help with the ampersand, and the search page would need to HTML Unencode it or it would affect the search results. If you cannot disallow the offending characters, then you will need some way to change the ampersand on your querystring so that it is not an ampersand but can be interpreted by the search page correctly. Hope this helps.  SignatureBen Lucas Lead Developer Solien Technology, Inc. www.solien.com > I have an application that stores user input via a text box. The text box > lets user enter their hobby, which can then be viewed in their page by [quoted text clipped - 16 lines] > > Are there library functions I can just use or do I have to do this manually? > To prevent this kind of injection attack, I would validate the user input > and disallow the offending characters. If you were not using it in a [quoted text clipped - 4 lines] > change the ampersand on your querystring so that it is not an ampersand but > can be interpreted by the search page correctly. Besides the following characters, which others are potentially dangerous? Is there a complete list somewhere? ', %, #, &, ! Given your earlier code, I would block &, ', %, and " The & affects the querystring. % can be used to have an effect on the search results. Single quotes can end the SQL statement allowing for a SQL injection attack. And double quotes can end the href in the anchor tag, allowing the possibility for cross-site scripting. SignatureBen Lucas Lead Developer Solien Technology, Inc. www.solien.com > > To prevent this kind of injection attack, I would validate the user input > > and disallow the offending characters. If you were not using it in a [quoted text clipped - 12 lines] > > ', %, #, &, ! > Besides the following characters, which others are potentially dangerous? > Is there a complete list somewhere? > > ', %, #, &, ! Instead of filtering out characters that you don't want, you should write your code to do the reverse .... meaning that you should have a list of characters that you will allow, and disallow everything not on that list. In this case, it makes sense to allow only a-z, A-Z, and maybe 0-9 and the space character. -Shawn http://blogs.msdn.com/shawnfa -- This posting is provided "AS IS" with no warranties, and confers no rights. Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated. If this is an ASP.NET application, you can take advantage of the UrlEncode and HtmlEncode methods of the System.Web.HttpServerUtilityClass. Some methods of some ASP.NET controls will HTML-encode for you, but the System.Web.UI.WebControls.HyperLink control doesn't. Assuming you are using the HyperLink control to display the link, you should URL-encode the hobby value and HTML-encode the display text. e.g. (assuming that you've already verified that the hobbyName string is not null): yourHyperLink.NavigateUrl = "http://www.domain.com/search.aspx?hobby=" + Server.UrlEncode(hobbyName); yourHyperLink.Text = Server.HtmlEncode(hobbyName); In the search page, you can simply read the value from the query string items collection since it will already have been URL-decoded by the underlying .NET objects. e.g.: hobbyName = Request.QueryString["hobby"]; Of course, if you are going to display this value to the user in the search page, you should URL- or HTML-encode it, as appropriate. Also, you should keep in mind that, while validation of the user-provided values is certainly a good idea, it is highly unlikely to eliminate all display problems (particularly those involving client-side encoding of non-low ASCII characters) unless it is sufficiently strict to potentially interfere with intended functionality. Even if your initial validation screens out all characters that could potentially interfere with HTML rendering or functionality, later changes may re-introduce the acceptance of such characters, and this will cause problems unless the application can accomodate them via appropriate render-time encoding. In addition, the web user interface is rarely the only mechanism via which data can be provided (e.g.: direct entry into the underlying db or files is usually possible), and your code should probably accomodate even innocent mistakes at that level. HTH, Nicole >I have an application that stores user input via a text box. The text box > lets user enter their hobby, which can then be viewed in their page by [quoted text clipped - 21 lines] > Are there library functions I can just use or do I have to do this > manually? Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2009 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.