Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   ASP .Net Security (http://www.velocityreviews.com/forums/f62-asp-net-security.html)
-   -   Cross-Site Scripting & sqlDataReader (http://www.velocityreviews.com/forums/t766077-cross-site-scripting-and-sqldatareader.html)

vineetbatta 05-11-2004 12:16 AM

Cross-Site Scripting & sqlDataReader
 
I am using sqlDataReader for Showing data from the Data base.
But if the Data from sql is having tags like <script>alert()</script> then it shows an alert box while binding.

Is there any way of suppressing it this ..... ???? or is it a flaw?

regards
Vineet Batta


Ken Schaefer 05-11-2004 06:52 AM

Re: Cross-Site Scripting & sqlDataReader
 
Use HTMLEncode() when outputting the data.

It replaces things like < with &lt; etc. It is not a bug - you are using
reserved characters in your text, and you need to replace those reserved
characters with the appropriate HTML Entities that are defined in the HTML
specifications. HTMLEncode() does this for you.

Cheers
Ken

"vineetbatta" <anonymous@discussions.microsoft.com> wrote in message
news:B2FE8EF1-A473-458F-9659-96A059BED429@microsoft.com...
: I am using sqlDataReader for Showing data from the Data base.
: But if the Data from sql is having tags like <script>alert()</script> then
it shows an alert box while binding.
:
: Is there any way of suppressing it this ..... ???? or is it a flaw?
:
: regards
: Vineet Batta
:



avnrao 05-11-2004 06:55 AM

Re: Cross-Site Scripting & sqlDataReader
 
use HttpServerUtility.UrlEncode while binding.

Av.
"vineetbatta" <anonymous@discussions.microsoft.com> wrote in message
news:B2FE8EF1-A473-458F-9659-96A059BED429@microsoft.com...
>I am using sqlDataReader for Showing data from the Data base.
> But if the Data from sql is having tags like <script>alert()</script> then
> it shows an alert box while binding.
>
> Is there any way of suppressing it this ..... ???? or is it a flaw?
>
> regards
> Vineet Batta
>




Ken Schaefer 05-11-2004 07:15 AM

Re: Cross-Site Scripting & sqlDataReader
 
You mean HTMLEncode()?

URLEncode() is for formatting text to be placed into a URL (eg as part of a
querystring)

Cheers
Ken

"avnrao" <avn@newsgroups.com> wrote in message
news:eI$54TyNEHA.1396@TK2MSFTNGP10.phx.gbl...
: use HttpServerUtility.UrlEncode while binding.
:
: Av.
: "vineetbatta" <anonymous@discussions.microsoft.com> wrote in message
: news:B2FE8EF1-A473-458F-9659-96A059BED429@microsoft.com...
: >I am using sqlDataReader for Showing data from the Data base.
: > But if the Data from sql is having tags like <script>alert()</script>
then
: > it shows an alert box while binding.
: >
: > Is there any way of suppressing it this ..... ???? or is it a flaw?
: >
: > regards
: > Vineet Batta
: >
:
:



avnrao 05-11-2004 08:36 AM

Re: Cross-Site Scripting & sqlDataReader
 
thats true. its HTMLEncode().

Av.

"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:OfdW3eyNEHA.3492@TK2MSFTNGP10.phx.gbl...
> You mean HTMLEncode()?
>
> URLEncode() is for formatting text to be placed into a URL (eg as part of
> a
> querystring)
>
> Cheers
> Ken
>
> "avnrao" <avn@newsgroups.com> wrote in message
> news:eI$54TyNEHA.1396@TK2MSFTNGP10.phx.gbl...
> : use HttpServerUtility.UrlEncode while binding.
> :
> : Av.
> : "vineetbatta" <anonymous@discussions.microsoft.com> wrote in message
> : news:B2FE8EF1-A473-458F-9659-96A059BED429@microsoft.com...
> : >I am using sqlDataReader for Showing data from the Data base.
> : > But if the Data from sql is having tags like <script>alert()</script>
> then
> : > it shows an alert box while binding.
> : >
> : > Is there any way of suppressing it this ..... ???? or is it a flaw?
> : >
> : > regards
> : > Vineet Batta
> : >
> :
> :
>
>





All times are GMT. The time now is 04:51 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.