Re: ASP web form security / validation
From: Tom Kaminski [MVP] ((A_at_T))
Date: 03/04/04
- Next message: EricG: "Re: IIS 6.. cannot logon without entering Domain name"
- Previous message: KDK: "RE: IIS 5.1 (XP Pro) XML Security Issue"
- In reply to: Brian Madden: "ASP web form security / validation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 4 Mar 2004 14:13:16 -0500
"Brian Madden" <brian@brianmadden.com> wrote in message
news:ekBvCsfAEHA.2804@tk2msftngp13.phx.gbl...
> Hello All,
>
> I'm developing a website (ASP, not ASP.NET) that allows users to post
> comments about articles. The ASP page displays the comments right out of
the
> database.
>
> I'm worried that a rogue user might add some javascript or something to
> their comment so that it executes on other users' browsers when they view
> the page.
>
> I've done a ton of searching on this, and all I can find are javascript
> validation routines that seem like they would be easy to circumvent (since
> someone could just POST to the ASP page directly). So, what do people
> usually do in these situations? Should I use a SQL trigger that checks
each
> new comment for "<!--" or something?
If you use Response.Write Server.HTMLEncode(postedcomment) you should be OK.
-- Tom Kaminski IIS MVP http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS http://mvp.support.microsoft.com/ http://www.microsoft.com/windowsserver2003/community/centers/iis/
- Next message: EricG: "Re: IIS 6.. cannot logon without entering Domain name"
- Previous message: KDK: "RE: IIS 5.1 (XP Pro) XML Security Issue"
- In reply to: Brian Madden: "ASP web form security / validation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
