Re: Datagrid security hole????

From: Aaron Margosis [MS] (aaronmaronline@microsoft.com)
Date: 07/07/02

• Next message: Aaron Margosis [MS]: "Re: How to let users log on from internet with admin privilges?"
• Previous message: Aaron Margosis [MS]: "Re: Is it possible to use form authentication like basic URL?"
• In reply to: Marco Paci: "Datagrid security hole????"
• Next in thread: Michael Howard [MS]: "Re: Datagrid security hole????"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Aaron Margosis [MS]" <aaronmaronline@microsoft.com>
Date: Sun, 7 Jul 2002 01:16:20 -0400

All user input must always be filtered and validated before being used.
Never insert unknown and unfiltered data directly into web pages, SQL
queries, or other command strings.

-- Aaron

"Marco Paci" <mpaci@omniway.sm> wrote in message
news:OUdICAGJCHA.1772@tkmsftngp09...
> Hello all,
> I'm working on the development of an application used to collect
> requests of help from users of a service. Users insert a description of
> their problem in our database.
> To visualize the pending requests I wanna use a Datagrid. I noticed that
if
> someone store a javascript in the field for the description of the
problem,
> when I visualize the Datagrid the javascript is executed.
> I wanna keep this kind of user interface without give up to use the
datagrid
> to render the datas. Can anyone suggest me a solution?
> I hope this problem will be long discussed on this newsgroup because it
> seems to me the kind of behaviour that can introduce too easily threats in
> asp.net applications.
> Tia
> Marco Paci
>
>

---

• Next message: Aaron Margosis [MS]: "Re: How to let users log on from internet with admin privilges?"
• Previous message: Aaron Margosis [MS]: "Re: Is it possible to use form authentication like basic URL?"
• In reply to: Marco Paci: "Datagrid security hole????"
• Next in thread: Michael Howard [MS]: "Re: Datagrid security hole????"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Datagrid security hole???? ... To visualize the pending requests I wanna use a Datagrid. ... (microsoft.public.dotnet.framework.aspnet.security) Re: Datagrid security hole???? ... untrusted user input directly. ... > To visualize the pending requests I wanna use a Datagrid. ... > when I visualize the Datagrid the javascript is executed. ... (microsoft.public.dotnet.framework.aspnet.security) Re: Make onclick do more than one thing? ... I'd like it to not only trigger a button column, ... like my dopostback event to perform the onmouseout event as well as ... Another option is to add your own JavaScript handler. ... creating your own control inherited from GridView (DataGrid) that spits ... (microsoft.public.dotnet.framework.aspnet) Re: Weird LinkButton! ... Am using the command name of the datagrid. ... this code works fine when run in the local machine but throws javascript ... >> in linkbutton control and for my surprise am getting the same error. ... (microsoft.public.dotnet.framework.aspnet) Cant use datagrid pager with javascript onbeforeupdate event ... The standard datagrid pager is rendered as a hyperlink e.g. <a ... it was introduced to allow people to generate pages using javascript. ... So of course it is all over ASP.Net and particularly the datagrid ... rendering of the pager, however although I can get at the LinkButton ... (microsoft.public.dotnet.framework.aspnet.datagridcontrol)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.dotnet.framework.aspnet.security  > 2002-07