Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Web Controls > Secure Database-Driven output to Web-Controls like Repeater

Reply
Thread Tools

Secure Database-Driven output to Web-Controls like Repeater

 
 
ViperDK \(Daniel K.\)
Guest
Posts: n/a
 
      08-13-2003
scenario: users can store data (guestbook entries, ther usernames and so on)
on a database-driven website and i have to care about that they don't insert
(aggressive) javascripts or html tags that destroy my layout. but it's not
an option to deny characters like ', " or < at all.

one option i got suggested is to make all the input to valid html output (Do
a HtmlEncode) before i store it in the database but i think that is not that
great because its to limited and bad design. if i make an winform
application or something else that is not web-based i'd have to handle and
undo all the html stuff that is only useful for html pages.

the two right solutions for this that i think of is to code controls like
Repeater with an property like "UseRawHtmlData" and let it automatically
HtmlEncode all output unless it is set for RawHtmlData. That would be a
safe design i think but it has the disadvantage that ms didn't do it and i'd
have to make many modified controls that do.
the other solution i think of is to code an SqlDataReader and a
SqlDataAdapter that also automatically HtmlEncode all text data.

I think the second way makes more sense - i would only have to use that
modified sql classes and i would not have to touch the data-webcontrols like
repeater, datagrid and so on.

does anyone have such classes to use instead of the normal Sql classes or is
there a better alternative to solve that problem. to HtmlEncode every field
manually like i do now seems to be the worst answer since it makes much work
and is error prone.


 
Reply With Quote
 
 
 
 
Eric Newton
Guest
Posts: n/a
 
      08-15-2003
Well, before I can offer a solution I need a few pointers:

- are you intending to store the actual html in the database?
- you said you dont care about JS/HTML that can destroy layout, which makes
things easier

unless I'm mistaken I dont believe the "BoundColumns" in DataGrids change
the valid HTML to be Encoded HTML,
and since the repeater utilizes templates, then you are in better control.

In your repeater template, are you using "<asp:label runat=server text='<%#
DataBinder.Eval... %>'>"? if so then the Text property is automatically HTML
encoded, trying changing to using the HtmlControls, specifically the
HtmlGenericControl and setting the InnerHtml property, whereas this property
takes a string and outputs it verbatim.

HTH


--
Eric Newton
http://www.velocityreviews.com/forums/(E-Mail Removed)
C#/ASP.net Solutions developer

"ViperDK (Daniel K.)" <(E-Mail Removed)> wrote in message
news:bhdkh4$ffo$04$(E-Mail Removed)-online.com...
> scenario: users can store data (guestbook entries, ther usernames and so

on)
> on a database-driven website and i have to care about that they don't

insert
> (aggressive) javascripts or html tags that destroy my layout. but it's not
> an option to deny characters like ', " or < at all.
>
> one option i got suggested is to make all the input to valid html output

(Do
> a HtmlEncode) before i store it in the database but i think that is not

that
> great because its to limited and bad design. if i make an winform
> application or something else that is not web-based i'd have to handle and
> undo all the html stuff that is only useful for html pages.
>
> the two right solutions for this that i think of is to code controls like
> Repeater with an property like "UseRawHtmlData" and let it automatically
> HtmlEncode all output unless it is set for RawHtmlData. That would be a
> safe design i think but it has the disadvantage that ms didn't do it and

i'd
> have to make many modified controls that do.
> the other solution i think of is to code an SqlDataReader and a
> SqlDataAdapter that also automatically HtmlEncode all text data.
>
> I think the second way makes more sense - i would only have to use that
> modified sql classes and i would not have to touch the data-webcontrols

like
> repeater, datagrid and so on.
>
> does anyone have such classes to use instead of the normal Sql classes or

is
> there a better alternative to solve that problem. to HtmlEncode every

field
> manually like i do now seems to be the worst answer since it makes much

work
> and is error prone.
>
>



 
Reply With Quote
 
 
 
 
ViperDK \(Daniel K.\)
Guest
Posts: n/a
 
      08-16-2003
no i want to store all data as it is. if someone writes stuff like "i like
<i> tags" it should get 1:1 into the database and i want an easy way to
verify in the output that it does get encoded.

i usually use DataGrids with BoundColumns like
<asp:BoundColumn DataField="Comment" HeaderText="Comment"></asp:BoundColumn>

and yes i saw that the HtmlGenericControl has a property for the encodet and
the raw content. i wonder why the the TextBox WebControl hasn't that
functionality. thought they should be first choice.

"Eric Newton" <(E-Mail Removed)> wrote in message
news:#(E-Mail Removed)...
> Well, before I can offer a solution I need a few pointers:
>
> - are you intending to store the actual html in the database?
> - you said you dont care about JS/HTML that can destroy layout, which

makes
> things easier
>
> unless I'm mistaken I dont believe the "BoundColumns" in DataGrids change
> the valid HTML to be Encoded HTML,
> and since the repeater utilizes templates, then you are in better control.
>
> In your repeater template, are you using "<asp:label runat=server

text='<%#
> DataBinder.Eval... %>'>"? if so then the Text property is automatically

HTML
> encoded, trying changing to using the HtmlControls, specifically the
> HtmlGenericControl and setting the InnerHtml property, whereas this

property
> takes a string and outputs it verbatim.
>
> HTH
>
>
> --
> Eric Newton
> (E-Mail Removed)
> C#/ASP.net Solutions developer




 
Reply With Quote
 
Eric Newton
Guest
Posts: n/a
 
      08-22-2003
Yeah, I guess the textboxes were designed from the start to be HTML proper,
ie, if they have HTML in their text property then its HTMLEncoded so that
what is in the text is exactly what you see...

I would guess it'll always stay this way, but a simple boolean property
wouldnt hurt


--
Eric Newton
(E-Mail Removed)
C#/ASP.net Solutions developer

"ViperDK (Daniel K.)" <(E-Mail Removed)> wrote in message
news:bhk2bl$hge$01$(E-Mail Removed)-online.com...
> no i want to store all data as it is. if someone writes stuff like "i like
> <i> tags" it should get 1:1 into the database and i want an easy way to
> verify in the output that it does get encoded.
>
> i usually use DataGrids with BoundColumns like
> <asp:BoundColumn DataField="Comment"

HeaderText="Comment"></asp:BoundColumn>
>
> and yes i saw that the HtmlGenericControl has a property for the encodet

and
> the raw content. i wonder why the the TextBox WebControl hasn't that
> functionality. thought they should be first choice.
>
> "Eric Newton" <(E-Mail Removed)> wrote in message
> news:#(E-Mail Removed)...
> > Well, before I can offer a solution I need a few pointers:
> >
> > - are you intending to store the actual html in the database?
> > - you said you dont care about JS/HTML that can destroy layout, which

> makes
> > things easier
> >
> > unless I'm mistaken I dont believe the "BoundColumns" in DataGrids

change
> > the valid HTML to be Encoded HTML,
> > and since the repeater utilizes templates, then you are in better

control.
> >
> > In your repeater template, are you using "<asp:label runat=server

> text='<%#
> > DataBinder.Eval... %>'>"? if so then the Text property is automatically

> HTML
> > encoded, trying changing to using the HtmlControls, specifically the
> > HtmlGenericControl and setting the InnerHtml property, whereas this

> property
> > takes a string and outputs it verbatim.
> >
> > HTH
> >
> >
> > --
> > Eric Newton
> > (E-Mail Removed)
> > C#/ASP.net Solutions developer

>
>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Secure your digital information assets with Secure Auditor. SecureWindows with Secure Auditor alannis.albert@googlemail.com Cisco 0 04-14-2008 06:53 AM
Secure your digital information assets with Secure Auditor SecureWindows with Secure Auditor alannis.albert@googlemail.com Cisco 0 04-14-2008 06:52 AM
object-like macro used like function-like macro Patrick Kowalzick C++ 5 03-14-2006 03:30 PM
Secure Database-Driven output to Web-Controls like Repeater ViperDK \(Daniel K.\) ASP .Net Security 3 08-22-2003 07:37 AM



Advertisments