I totally disagree with HTML-encoding data going *into* the database even as an option or choice.
Agreed - 100%. What I'm looking at is the issue where someone does a "myObject.UpdateFrom(Request.Form)" and then spins it back to the browser on error, validation, or...? You have to agree that there is a hole here that I need to consider.
damieng
You end up protecting a very singular scenario - poorly written sites that deal only with your encoded data.
Unfortunately that singular scenario dominates :(.
damieng
The problem is purely one of output and should be treated as such.
I just read your posts on this issue and I have to say you're violating your own rule:
damieng
Vulnerable code often looks like this:
myLabel.Text = Request.Form["Something"];
In this example you show how a developer will take a Request value and spin it back to the page. This is the hole I speak of.
So - I'd like to ask you guys - what is the problem with having two methods? UpdateFrom() and UpdateFromRaw()? From your responses I think you guys are positioning me as dictating "all things
must be encoded" when that's not the case. Would you rather it be UpdateFromEncoded()?
I'd like to focus on this rather than my ignorance if that's OK with you guys ;).
robconery
Participant
852 Points
195 Posts
Re: UpdateFrom and Encoding
Dec 19, 2007 05:36 PM|LINK
Agreed - 100%. What I'm looking at is the issue where someone does a "myObject.UpdateFrom(Request.Form)" and then spins it back to the browser on error, validation, or...? You have to agree that there is a hole here that I need to consider.
Unfortunately that singular scenario dominates :(.
I just read your posts on this issue and I have to say you're violating your own rule: