Re: Escape html tags and other dangerous input

From: Ben Lucas (ben_at_nospam.solien.nospam.com)
Date: 09/28/04 

Date: Tue, 28 Sep 2004 06:46:03 -0700

To prevent this kind of injection attack, I would validate the user input
and disallow the offending characters. If you were not using it in a
hyperlink, I would suggest HTML Encoding it, as that would prevent the HTML
injection, but that doesn't help with the ampersand, and the search page
would need to HTML Unencode it or it would affect the search results. If
you cannot disallow the offending characters, then you will need some way to
change the ampersand on your querystring so that it is not an ampersand but
can be interpreted by the search page correctly.

Hope this helps. 

-- 
Ben Lucas
Lead Developer
Solien Technology, Inc.
www.solien.com
"Shabam" <blislecp@hotmail.com> wrote in message
news:1_CdnUexgrlxtsTcRVn-rw@adelphia.com...
> I have an application that stores user input via a text box.  The text box
> lets user enter their hobby, which can then be viewed in their page by
> others.  This hobby is linked by the application so that it searches the
> database for other users who have the same hobby.  The search string is
> displayed as:
> WHATEVER
>
> The problem comes when the users inputs something invalid like "&".  This
is
> obviously interpreted by the server as another variable, and can mess
things
> up when a viewing user clicks on the link, since the search engine does
take
> on other fields too.
>
> Another would be if the user tries to inject html tags like "><THEIR
HTML>".
> This would mess up the remainder of the page obviously.
>
> What is the best way to filter out such nasty input?  There may also be
> others that I'm unaware of.  I'm taking care of SQL injection by using a
> parametized sql queries.
>
> Are there library functions I can just use or do I have to do this
manually?
>
>
>

Relevant Pages

  • RE: [Full-disclosure] FW: Introducing a new generic approach todetecting SQL injection
    ... If the attacker uses an injection string that creates an always-false ... blocking SQL injection with filters on characters is painful ... However when there is SQL injection, generally you see the user input piece ... with and that an attack is going on. ...
    (Full-Disclosure)
  • Re: ASP.NET
    ... > like inheritence for example. ... Well, Pieter, ASP.Net IS programming, and is .Net, so inheritance is ... > Also for the pages that I'm going to create dynamically from user input do ... Controls that, rather than draw to the screen, render HTML to the HTML ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: A case for HTML as a programming language
    ... In the HTML case, the user just provides the input. ... > files (in a much more restricted manner than real server). ... file, it could do so from a "real" file server, and when none is ... Provided you have user input and programmed for that to happen. ...
    (comp.programming)
  • Re: preserve POST data when using the back-button
    ... Chris Morris wrote: ... If there is an error in the user input, the form is regenerated with the user's input regurgitated. ... Determine what string could be used to 'break out' of the form HTML. ... There's no need to substitute characters, any more than there is a need to do it here on the newsgroup, because the content is specified as text/plain. ...
    (comp.infosystems.www.authoring.html)
  • Re: for user submitted content, textile or inspected html?
    ... You do still need to sanitize and validate user input. ... attributes, only allow predefined tags, like bold or italic, ... Yes, HTML is less secure, mainly due to JS exploit issues, and otherwise lacks readability by humans. ...
    (comp.lang.ruby)