locked
How do I prevent code injection from a multiline asp:textbox RRS feed

  • Question

  • User-1694925868 posted

    I have been tasked with making a website more secure.  It is a fundraising application that is set up like ebay with employees buying and selling their baked goods.  The problem is that it has a large asp:textbox with the textmode attribute set to multiline that I fear is vulnerable to code injection or XSS javascript injection.  The textbox is large enough to handle 1000 characters plus links to images they want to use to show what they are selling.   I need help understanding what I need to do to make this secure.  Give me some basic steps so that my users can insert their links and special characters into the textbox while preventing code injection.  

    Screen shot

    Friday, May 8, 2020 8:25 PM

Answers

  • User475983607 posted

    Rather than allowing the user to enter HTML like....

    <a href="https://www.domain.com/path/to/the/thing">Thing</a>

    provide the user an interface where the user can add a link by entering the href and Link text separately.  

    If the above solution is not good enough then you need to realize that this is a rather complex feature.  Do an internet search for libraries that specialize in sanitizing user input.  Building your own is tough.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, May 8, 2020 9:39 PM