Re: Escape html tags and other dangerous input
From: Shabam (blislecp_at_hotmail.com)
Date: 09/29/04
- Next message: Yaseen D M: "Active Directory Cache"
- Previous message: Michel Gallant: "Re: Strong names - are these cryptographic??"
- In reply to: Ben Lucas: "Re: Escape html tags and other dangerous input"
- Next in thread: Ben Lucas: "Re: Escape html tags and other dangerous input"
- Reply: Ben Lucas: "Re: Escape html tags and other dangerous input"
- Reply: Shawn Farkas [MS]: "Re: Escape html tags and other dangerous input"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 29 Sep 2004 00:35:53 -0700
"Ben Lucas" <ben@nospam.solien.nospam.com> wrote in message
news:LLSdncYLs6CB9sTcRVn-hA@comcast.com...
> To prevent this kind of injection attack, I would validate the user input
> and disallow the offending characters. If you were not using it in a
> hyperlink, I would suggest HTML Encoding it, as that would prevent the
HTML
> injection, but that doesn't help with the ampersand, and the search page
> would need to HTML Unencode it or it would affect the search results. If
> you cannot disallow the offending characters, then you will need some way
to
> change the ampersand on your querystring so that it is not an ampersand
but
> can be interpreted by the search page correctly.
Besides the following characters, which others are potentially dangerous?
Is there a complete list somewhere?
', %, #, &, !
- Next message: Yaseen D M: "Active Directory Cache"
- Previous message: Michel Gallant: "Re: Strong names - are these cryptographic??"
- In reply to: Ben Lucas: "Re: Escape html tags and other dangerous input"
- Next in thread: Ben Lucas: "Re: Escape html tags and other dangerous input"
- Reply: Ben Lucas: "Re: Escape html tags and other dangerous input"
- Reply: Shawn Farkas [MS]: "Re: Escape html tags and other dangerous input"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
