Re: Escape html tags and other dangerous input
From: Nicole Calinoiu (ngcalinoiu)
Date: 09/30/04
- Next message: Chris: "Impersonation and UNC shares in a windows service"
- Previous message: Rob Teixeira [MVP]: "Re: assign socket permission to NTD winform"
- In reply to: Shabam: "Escape html tags and other dangerous input"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 30 Sep 2004 10:35:09 -0400
If this is an ASP.NET application, you can take advantage of the UrlEncode
and HtmlEncode methods of the System.Web.HttpServerUtilityClass. Some
methods of some ASP.NET controls will HTML-encode for you, but the
System.Web.UI.WebControls.HyperLink control doesn't. Assuming you are using
the HyperLink control to display the link, you should URL-encode the hobby
value and HTML-encode the display text. e.g. (assuming that you've already
verified that the hobbyName string is not null):
yourHyperLink.NavigateUrl = "http://www.domain.com/search.aspx?hobby=" +
Server.UrlEncode(hobbyName);
yourHyperLink.Text = Server.HtmlEncode(hobbyName);
In the search page, you can simply read the value from the query string
items collection since it will already have been URL-decoded by the
underlying .NET objects. e.g.:
hobbyName = Request.QueryString["hobby"];
Of course, if you are going to display this value to the user in the search
page, you should URL- or HTML-encode it, as appropriate.
Also, you should keep in mind that, while validation of the user-provided
values is certainly a good idea, it is highly unlikely to eliminate all
display problems (particularly those involving client-side encoding of
non-low ASCII characters) unless it is sufficiently strict to potentially
interfere with intended functionality. Even if your initial validation
screens out all characters that could potentially interfere with HTML
rendering or functionality, later changes may re-introduce the acceptance of
such characters, and this will cause problems unless the application can
accomodate them via appropriate render-time encoding. In addition, the web
user interface is rarely the only mechanism via which data can be provided
(e.g.: direct entry into the underlying db or files is usually possible),
and your code should probably accomodate even innocent mistakes at that
level.
HTH,
Nicole
"Shabam" <blislecp@hotmail.com> wrote in message
news:1_CdnUexgrlxtsTcRVn-rw@adelphia.com...
>I have an application that stores user input via a text box. The text box
> lets user enter their hobby, which can then be viewed in their page by
> others. This hobby is linked by the application so that it searches the
> database for other users who have the same hobby. The search string is
> displayed as:
> WHATEVER
>
> The problem comes when the users inputs something invalid like "&". This
> is
> obviously interpreted by the server as another variable, and can mess
> things
> up when a viewing user clicks on the link, since the search engine does
> take
> on other fields too.
>
> Another would be if the user tries to inject html tags like "><THEIR
> HTML>".
> This would mess up the remainder of the page obviously.
>
> What is the best way to filter out such nasty input? There may also be
> others that I'm unaware of. I'm taking care of SQL injection by using a
> parametized sql queries.
>
> Are there library functions I can just use or do I have to do this
> manually?
>
>
>
- Next message: Chris: "Impersonation and UNC shares in a windows service"
- Previous message: Rob Teixeira [MVP]: "Re: assign socket permission to NTD winform"
- In reply to: Shabam: "Escape html tags and other dangerous input"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
