Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Cross-Site Scripting & sqlDataReader

Reply
Thread Tools

Cross-Site Scripting & sqlDataReader

 
 
vineetbatta
Guest
Posts: n/a
 
      05-11-2004
I am using sqlDataReader for Showing data from the Data base.
But if the Data from sql is having tags like <script>alert()</script> then it shows an alert box while binding.

Is there any way of suppressing it this ..... ???? or is it a flaw?

regards
Vineet Batta

 
Reply With Quote
 
 
 
 
Ken Schaefer
Guest
Posts: n/a
 
      05-11-2004
Use HTMLEncode() when outputting the data.

It replaces things like < with &lt; etc. It is not a bug - you are using
reserved characters in your text, and you need to replace those reserved
characters with the appropriate HTML Entities that are defined in the HTML
specifications. HTMLEncode() does this for you.

Cheers
Ken

"vineetbatta" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
: I am using sqlDataReader for Showing data from the Data base.
: But if the Data from sql is having tags like <script>alert()</script> then
it shows an alert box while binding.
:
: Is there any way of suppressing it this ..... ???? or is it a flaw?
:
: regards
: Vineet Batta
:


 
Reply With Quote
 
 
 
 
avnrao
Guest
Posts: n/a
 
      05-11-2004
use HttpServerUtility.UrlEncode while binding.

Av.
"vineetbatta" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I am using sqlDataReader for Showing data from the Data base.
> But if the Data from sql is having tags like <script>alert()</script> then
> it shows an alert box while binding.
>
> Is there any way of suppressing it this ..... ???? or is it a flaw?
>
> regards
> Vineet Batta
>



 
Reply With Quote
 
Ken Schaefer
Guest
Posts: n/a
 
      05-11-2004
You mean HTMLEncode()?

URLEncode() is for formatting text to be placed into a URL (eg as part of a
querystring)

Cheers
Ken

"avnrao" <(E-Mail Removed)> wrote in message
news:eI$(E-Mail Removed)...
: use HttpServerUtility.UrlEncode while binding.
:
: Av.
: "vineetbatta" <(E-Mail Removed)> wrote in message
: news:(E-Mail Removed)...
: >I am using sqlDataReader for Showing data from the Data base.
: > But if the Data from sql is having tags like <script>alert()</script>
then
: > it shows an alert box while binding.
: >
: > Is there any way of suppressing it this ..... ???? or is it a flaw?
: >
: > regards
: > Vineet Batta
: >
:
:


 
Reply With Quote
 
avnrao
Guest
Posts: n/a
 
      05-11-2004
thats true. its HTMLEncode().

Av.

"Ken Schaefer" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> You mean HTMLEncode()?
>
> URLEncode() is for formatting text to be placed into a URL (eg as part of
> a
> querystring)
>
> Cheers
> Ken
>
> "avnrao" <(E-Mail Removed)> wrote in message
> news:eI$(E-Mail Removed)...
> : use HttpServerUtility.UrlEncode while binding.
> :
> : Av.
> : "vineetbatta" <(E-Mail Removed)> wrote in message
> : news:(E-Mail Removed)...
> : >I am using sqlDataReader for Showing data from the Data base.
> : > But if the Data from sql is having tags like <script>alert()</script>
> then
> : > it shows an alert box while binding.
> : >
> : > Is there any way of suppressing it this ..... ???? or is it a flaw?
> : >
> : > regards
> : > Vineet Batta
> : >
> :
> :
>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Using a Scripting Language as Your Scripting Language DaveInSidney Python 0 05-09-2005 03:13 AM
Python is the best and most popular general purpose scripting language; the universal scripting language Ron Stephens Python 23 04-12-2004 05:32 PM
Two SqlDataReader for the same connection Ruslan ASP .Net 3 01-13-2004 07:52 AM
DataGrid Custom Paging using SQLDataReader Paul Hobbs ASP .Net 1 07-24-2003 04:00 PM
Re: reading sqldatareader after conn.close() Ante Perkovic ASP .Net 0 07-02-2003 10:13 PM



Advertisments