Re: Datagrid security hole????

From: Aaron Margosis [MS] (aaronmaronline@microsoft.com)
Date: 07/07/02


From: "Aaron Margosis [MS]" <aaronmaronline@microsoft.com>
Date: Sun, 7 Jul 2002 01:16:20 -0400


All user input must always be filtered and validated before being used.
Never insert unknown and unfiltered data directly into web pages, SQL
queries, or other command strings.

-- Aaron

"Marco Paci" <mpaci@omniway.sm> wrote in message
news:OUdICAGJCHA.1772@tkmsftngp09...
> Hello all,
> I'm working on the development of an application used to collect
> requests of help from users of a service. Users insert a description of
> their problem in our database.
> To visualize the pending requests I wanna use a Datagrid. I noticed that
if
> someone store a javascript in the field for the description of the
problem,
> when I visualize the Datagrid the javascript is executed.
> I wanna keep this kind of user interface without give up to use the
datagrid
> to render the datas. Can anyone suggest me a solution?
> I hope this problem will be long discussed on this newsgroup because it
> seems to me the kind of behaviour that can introduce too easily threats in
> asp.net applications.
> Tia
> Marco Paci
>
>