Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Global implementation of input validation

0 views
Skip to first unread message

Radhika.Putcha

unread,
Nov 19, 2009, 3:42:18 PM11/19/09
to
Hi

We are trying to implement a global method to detect cross site scripting
vulnerabliity attack - to filter hazardous characters from user input before
the request is submitted. Can you please suggest if there is a global way of
achieving this.


Andrew Morton

unread,
Nov 20, 2009, 5:53:57 AM11/20/09
to

You could use HttpUtility.HtmlEncode on all the user-input data before
displaying it, that way any code is rendered harmlessly as text, e.g.

label1.Text=HttpUtility.HtmlEncode(UserName)


ASP.NET guards against XSS attempts by default; try entering the text
"<script>" in an input on a form and when it's submitted you'll get an error
like
---------------------------
"A potentially dangerous Request.Form value was detected from the client
(ctl00$ContentPlaceHolder1$uName="<script>").

Description: Request Validation has detected a potentially dangerous client
input value, and processing of the request has been aborted. This value may
indicate an attempt to compromise the security of your application, such as
a cross-site scripting attack. You can disable request validation by setting
validateRequest=false in the Page directive or in the configuration section.
However, it is strongly recommended that your application explicitly check
all inputs in this case."
---------------------------

And if you store data in a database, don't forget to guard against SQL
injection attacks by using parameters to pass values to the database.

Andrew


0 new messages