Wrox Programmer Forums
|
BOOK: ASP.NET 2.0 Website Programming Problem Design Solution ISBN: 978-0-7645-8464-0
This is the forum to discuss the Wrox book ASP.NET 2.0 Website Programming: Problem - Design - Solution by Marco Bellinaso; ISBN: 9780764584640
Welcome to the p2p.wrox.com Forums.

You are currently viewing the BOOK: ASP.NET 2.0 Website Programming Problem Design Solution ISBN: 978-0-7645-8464-0 section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
 
Old June 15th, 2010, 02:46 AM
Authorized User
 
Join Date: Mar 2009
Posts: 75
Thanks: 16
Thanked 1 Time in 1 Post
Default A question regarding fckeditor

Article's body input that is edited via fckeditor maybe potentially dangerous because it's html-encoded on the client side only,so is not safe at all.

There should be a server side validation ti prevent any XSS attacks.

What can you suggest?
 
Old June 15th, 2010, 09:24 PM
Friend of Wrox
 
Join Date: Jun 2007
Posts: 477
Thanks: 10
Thanked 19 Times in 18 Posts
Default

You need HtmlEncode for that. If you're interested, there are some other variations for other items as well.

http://dotnetperls.com/encode-html-string
http://aspnetresources.com/blog/encoding_forms.aspx
__________________
-------------------------

Whatever you can do or dream you can, begin it. Boldness has genius, power and magic in it. Begin it now.
-Johann von Goethe

When Two Hearts Race... Both Win.
-Dove Chocolate Wrapper

Chroniclemaster1, Founder of www.EarthChronicle.com
A Growing History of our Planet, by our Planet, for our Planet.
 
Old June 16th, 2010, 05:28 AM
Authorized User
 
Join Date: Mar 2009
Posts: 75
Thanks: 16
Thanked 1 Time in 1 Post
Default

I can't just use regular htmlencode becase editor generates rich html format, so htmlencode will brake it.
 
Old June 16th, 2010, 02:31 PM
Friend of Wrox
 
Join Date: Jun 2007
Posts: 477
Thanks: 10
Thanked 19 Times in 18 Posts
Default

OK, that means you'll have to program something yourself which is bad in that its more work, but actually nice in that you can create one that's much better.

I have yet to work on one, but I have started designing a "sanitizing" dictionary. The idea is to swap out characters you don't want for things that you do. You create a generic dictionary<TKey, TValue>, each key you choose will be a character that you're concerned about, and then you can insert a value (one or more characters) that you want inserted instead. Then create a helper function which returns this dictionary whenever it's requested. You can stick it in a class like InputSecurity in Your.Namespace.Security and add a using statement for this namespace in any file you want to use the dictionary.

Then you write a function like this

Code:
public string mySanitizer(string inputString)
{
   // Get the dictionary
   InputSecurity myInputSecurity = new InputSecurity();
   Dictionary<string, string> dic = myInputSecurity.getMyDictionary();

   // 
   // check each charater of the inputString variable, 
   // compare the character to "dic"
   // see if dic returns a value
   //
   //   if dic DOES return a value
    //      replace the character in the string with the returned value
    //   if dic DOES NOT return a value
     //      it is not a character of concern, so it can stay.
   //
}
If you want to create a BB code or similar system, you just need to make one modification. If dic returns a value don't insert the value from the dictionary, insert "[" + value + "]". If you don't want to use square brackets you can define whatever characters you're going to use as a flag to say "this is where a character of concern used to be". Then you can create other code modules that interpret your modified code and turn anything you consider "safe" back into HTML.
__________________
-------------------------

Whatever you can do or dream you can, begin it. Boldness has genius, power and magic in it. Begin it now.
-Johann von Goethe

When Two Hearts Race... Both Win.
-Dove Chocolate Wrapper

Chroniclemaster1, Founder of www.EarthChronicle.com
A Growing History of our Planet, by our Planet, for our Planet.
 
Old June 16th, 2010, 03:18 PM
Authorized User
 
Join Date: Mar 2009
Posts: 75
Thanks: 16
Thanked 1 Time in 1 Post
Default

well it's not so trivial, the XSS attacks use different methods to inject stuff.
so there are a lot of option to exam.
 
Old August 25th, 2010, 11:06 PM
Registered User
 
Join Date: Aug 2010
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Error 1 Could not load file or assembly 'MB.TheBeerHouse.CustomEvents' or one of its dependencies. The system cannot find the file specified. C:\Project\Web\TheBeerHouse\web.config 92





Similar Threads
Thread Thread Starter Forum Replies Last Post
fckeditor bendjoe BOOK: ASP.NET 2.0 Website Programming Problem Design Solution ISBN: 978-0-7645-8464-0 1 September 15th, 2008 10:29 AM
FCKeditor not showing dofield BOOK: ASP.NET 2.0 Instant Results ISBN: 978-0-471-74951-6 1 November 24th, 2007 05:20 AM
FCKeditor chraas BOOK: ASP.NET 2.0 Website Programming Problem Design Solution ISBN: 978-0-7645-8464-0 1 February 25th, 2007 12:30 PM
how to setup FCKEDITOR?? stzd8 BOOK: ASP.NET 2.0 Website Programming Problem Design Solution ISBN: 978-0-7645-8464-0 5 December 12th, 2006 11:27 AM
FCKEditor for CMS anshul Pro PHP 2 August 8th, 2006 03:16 AM





Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.