Last post Feb 12, 2015 02:46 PM by Alexey Nagoga
Aug 13, 2013 02:31 PM|houmy|LINK
Is there any point to pass information read frm a db through AntiXSS filters if the only way they could be saved to the db in the first place was going through an AntiXSS filter? I have dynamic pages that pull information from a db and that information was
submitted by other users and before being saved to the db all the input was passed through and confirmed by AntiXSS filters. I don' really see a point to putting the information through the filters again once the dynamic page is populated fromo the db?
Aug 13, 2013 03:29 PM|BrockAllen|LINK
On the way in, you're talking about the AntiXSS Sanitize APIs? These don't quite do the same on the way in that the encoding APIs do on the way out. The intent of the sanitize APIs convert "unsafe" html to "clean" html. Now of course if all you do is use
them on simple values, the dangerous stuff will still get stripped out. I guess you'd have to test the various types of input you're looking at to ensure the sanitize APIs are working the way you want them to.
If you then use the encoding APIs on the way out then you'll ensure that the values are properly encoded, so this tend to be the easiest approach. Also, since the data in the DB was put there prior to your code cleaning it on the way in, I'd still suggest
encoding it on the way out.
On the other hand, if you do both and the input is intended as markup then you'll end up with the double encoding issue.
Aug 16, 2013 11:45 AM|houmy|LINK
Thank you for your reply. My main point was however that the data in the DB would already have been cleaned before being submitted to the DB so the DB would not contain anything malicious. Do you think it still needs to be cleaned/encoded on the way out?
My main reason for not doing it on the way out is because some formatting gets lost and i would have to go through a lot of code that i already have to make sure the formatting gets fixed again. Thats what I get I guess for thinking of security at the last
Aug 16, 2013 01:12 PM|BrockAllen|LINK
Well, that's a tough call. For me, I'd try to do everything I can to encode on the way out.
What sort of format data are you storing in the DB?
Aug 16, 2013 04:41 PM|houmy|LINK
I would agree with you and will work to encode both ways. I guess I need to figure it out once and then it should run smoothly as I only have a few masterpage templates that read from the DB and once I figure out how to fix the formatting it should work
fine from that point on.
The data that is stored in the DB and then read back to populate the pages is nvarchar which I guess is a great candidate to store malicious code and scripts in if somebody wanted to do some harm.
Sep 22, 2013 01:47 PM|speshulk926|LINK
You do it both ways just in case your DB was to be compromised for some reason. You don't want data that is coming into the DB (from any source, even if you think the only way in is through your code) to be displayed to an end user.
Feb 12, 2015 02:46 PM|Alexey Nagoga|LINK
You as a developer can't guarantee that your application is the only one that writes to that database, right? Therefore you can't guarantee that the data in the database is safe.