Wrox Programmer Forums
|
BOOK: ASP.NET 2.0 Website Programming Problem Design Solution ISBN: 978-0-7645-8464-0
This is the forum to discuss the Wrox book ASP.NET 2.0 Website Programming: Problem - Design - Solution by Marco Bellinaso; ISBN: 9780764584640
Welcome to the p2p.wrox.com Forums.

You are currently viewing the BOOK: ASP.NET 2.0 Website Programming Problem Design Solution ISBN: 978-0-7645-8464-0 section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
 
Old January 26th, 2008, 08:35 AM
Authorized User
 
Join Date: Jun 2006
Posts: 46
Thanks: 0
Thanked 0 Times in 0 Posts
Default Encoding User Input

Hi everyone,
I've noticed,in TBH,user comments and forum's posts are not being decoded.Is marco not validating these inputs ? or am I missing something ?
And what should we do to validate these user inputs?
 
Old February 4th, 2008, 11:28 AM
Friend of Wrox
 
Join Date: Mar 2006
Posts: 310
Thanks: 0
Thanked 0 Times in 0 Posts
Default

I don't know about comments but the posts decode is made by fckeditor!

If you disable the "view code" button from this toolbar the user can't insert html tags, (or they will be decoded by fck)

 
Old February 5th, 2008, 09:27 AM
Authorized User
 
Join Date: Jun 2006
Posts: 46
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thanks Maxxim for ur reply.
I've figured out what I was missing; user comments are being encoded into HTML while being displayed back to the browser, thats what we need to avoid scripting attacks. And I guess you are rite,Forums posts are encoded by FCKeditor.
Sorry,I was using a wrong word, we don't have to "decode" the user content, we "encode" user content into HTML while displaying it back to the browser.


 
Old February 5th, 2008, 08:40 PM
Friend of Wrox
 
Join Date: Jun 2003
Posts: 917
Thanks: 0
Thanked 0 Times in 0 Posts
Default

I just got back from the quarterly MSDN event where they discussed security. Microsoft is backing away from Server.HtmlEncode and they prefer a more agressive approach now. Their "Anti Cross-Site Scripting Library" is a small light-weight DLL that we can add to our applications. This uses white-list filtering instead of the black-list filtering in Server.HtmlEncode. The syntax is simple, you just use "AntiXss.HtmlEncode". Get it here:

http://msdn2.microsoft.com/en-us/library/aa973813.aspx

I'm not saying we should tear into the FCKeditor, but there are other places where we can leverage this library.

Eric

 
Old February 5th, 2008, 08:44 PM
Friend of Wrox
 
Join Date: Mar 2006
Posts: 310
Thanks: 0
Thanked 0 Times in 0 Posts
Default

nice article Eric!

Thanks for the share!
I will save the link for sometime when I had more time and read it all!

 
Old February 6th, 2008, 06:58 AM
Authorized User
 
Join Date: Jun 2006
Posts: 46
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thanks eric for sharing this information. But I'm surprised to see that this article exists at MSDN since Nov. 2006 but its first time I'm hearing about it!






Similar Threads
Thread Thread Starter Forum Replies Last Post
storing user input brainchild Javascript 2 March 1st, 2007 04:55 AM
Displaying user input macrocosm Beginning PHP 3 June 15th, 2006 09:30 PM
validating user input hosefo81 Javascript How-To 12 March 3rd, 2004 09:32 AM
Validating user input stu9820 VB.NET 2002/2003 Basics 2 January 15th, 2004 12:51 PM





Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.