Last post Apr 05, 2013 12:07 PM by psinet
Apr 03, 2013 01:52 PM|AceHigh26|LINK
I have a form where any characters are acceptable input. Obviously this leaves me vulnerable to XSS attacks. I know there are a few options such as making sure validaterequest is set to true on my asp.net pages, and/or using the html encode utility. If I
do this however I wont be able to get the form to submit since I get the "a dangerous request...." error due to the characters I am allowing to be input. The problem I have is I dont neccesairly want encoded data input into my MSSQL database for a variety
of reasons. The main reason is displaying the data and or decoding the data through ad hocs and SRS reports is not easy.
My question is what is the best way to handle the above situation?
Apr 05, 2013 09:00 AM|psinet|LINK
If you need to turn ValidateRequest off then what you need to do is 'HtmlEncode' the string when you return the value back to browser. This will ensure that any script or html is displayed as text not processed by the browser.
But again, this is not recommneded unless you have to: http://msdn.microsoft.com/en-us/library/system.web.ui.page.enableeventvalidation.aspx
Apr 05, 2013 11:46 AM|AceHigh26|LINK
I dont think that will work, because lets say i accept character such as < or & etc. If i save to database as those characters un-encoded then encode them to the screen they will see a bunch of encoding characters and not the original text.
Apr 05, 2013 12:07 PM|psinet|LINK
It won't show as encoded to the person viewing the page. It will display special characters like '<' and '>' as is.
Response.Write(Server.HtmlEncode("<b>This is HTML!<b>")) //produces <b>This is HTML!</b> on the page.