MVC :: Getting Safe With ValidateInput As False?
Feb 21, 2011
I want to store certain html tags in my database to the layout of content, for example <h3> and <p> tags. The problem is with ValidateInput set to True, you get "Potential Danger error" when you try sending content with html tags.
With it set to False, you open yourself to all sorts of potential dangers. So Here is what I'm wanting to achieve:
I hope you like the image ! lol I spent 10 minutes in Photoshop to create it.
So eventhing that goes in, I want as encoded, but when I get content back, I want to decode only the <h3> and <p> tags. ! What do you think of my solution ? Bad, Good ?
View 16 Replies
Similar Messages:
Apr 30, 2010
I have a website which sometimes collects data from users via text boxes, and stores the data for later display.The .aspx site uses standard out-of-the-box asp.net Request Validation to stop cross-site scripting attacks.I now want to give certain users the option of populating the data via a web service rather than a web page.So I am creating an .asmx web service.1)Am I correct in thinking that in .net 3.5, data coming in to a .asmx web service is completely unprotected off-the-shelf from cross-site scripting attacks, and has to be treated with caution and html-encoded and inspected
View 1 Replies
Mar 18, 2011
Is there a way I can handle HttpRequestValidationException without turning off ValidateInput?
What I really want is all HTML posted from a form to be automatically encoded in the model unless a particular property has the AllowHtml attribute set.
If I have to turn off ValidateInput, then what happens to the rest of my model validation? Will it still be validated or do I need to explicitally check ModelState.IsValid?
I'm also catching the exception in a custom model binder class but every time I try to access the offending property from Request.Form, the exception gets thrown. Is there a way to get that value in the model binder?
View 2 Replies
Sep 21, 2010
There is not a clear category on the site where to post this, so giving it a shot here.
Has anyone used VS 2008? I current user Turtoise for some projects, and Source Gear Valut for others.
The company where I work is thinking about moving to VSS because of the MSDN subscription.
My experience with VSS prior to VSS 2005 was that it conied the name "Visual Source Unsafe" and I know first hand that it trashed my work more that once and I stopped using it. Source Gear Valut on the other hand is rock solid.
So is VSS 2008 Really "safe" was VSS 2005 "safe" ?
View 3 Replies
Feb 28, 2011
I wonder if its safe to use the CTP5 in production yet. My main use would be for 2 small projects. I Know they pre released it but any thoughts on this if it would hold up for production are welcome.
View 1 Replies
Nov 12, 2010
I've a blog-driven ASP.NET website. Under the post, there is a Comment block to let readers post comments.I've used some TextBoxes and TextArea for that.To Prevent XSS:I've filtered the input by using: Server.HtmlEncode() Method (I don't care about text formatting).To Prevent SQL-Injection:I'm using Linq To SQL (that should be like parametrized queries I think!).
ArticlesDataClasses dc = new ArticlesDataClasses();
ArticleComment newComm = new ArticleComment()
{
ArticleID = int.Parse(Request.QueryString["ArticleID"]),
CommentAuthor = Server.HtmlEncode(txtName.Text),
CommentText = Server.HtmlEncode(txtComment.InnerHtml).Replace("
", "<br />"),
CommentAuthorEmail = Server.HtmlEncode(txtMail.Text),
CommentTime = DateTime.Now,
Enabled = false
};
View 1 Replies
Jan 12, 2011
For example, this is the code that I am using:
String commandString = "UPDATE Members SET UserName = @newName , AdminLevel = @userLevel WHERE UserID = @userid";
using (SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["sqlconnectionstring"].ConnectionString))
{
SqlCommand cmd = new SqlCommand(commandString, conn);
cmd.Parameters.Add("@newName", newName);
cmd.Parameters.Add("@userLevel", userLevel);
cmd.Parameters.Add("@userid", userid);
conn.Open();
cmd.ExecuteReader();
Reader.Close();
}
View 3 Replies
Apr 23, 2010
When storing a value in a cookie using C#, what is the best way to encode (or escape) the value so that it can be retrieved and decoded/unescaped reliably?
I'm not talking about encryption.
View 1 Replies
Oct 21, 2010
I'm trying to make an existing ASP.NET web forms app more unit testable by using some of the ASP.NET MVC objects, specifically HttpContextWrapper. I've seen examples of its usage and they always create a new object. I disassembled the source with Reflector and see all it does is store the passed HttpContext. But I was curious as to whether or not it's safe to always create a new instance of HttpContextWrapper or follow the singleton pattern somehow? Below is the class I'm using in my app
public static class AppHttpContext {
public static HttpContextBase Current { get { return Getter(); } }
public static void SetContext(Func<HttpContextBase> getter) {
Getter = getter;
}
private static Func<HttpContextBase> Getter = () => new HttpContextWrapper(HttpContext.Current);
}
And I use it similar to HttpContext.Current
AppHttpContext.Current.Session["blah"] = "something";
View 1 Replies
Feb 10, 2011
I'm considering making use of an HttpModule for localization purposes (based on the example in this article) - but I'm curious, is this safe?
Here's the code, for reference:
public class CookieLocalizationModule : IHttpModule
{
public void Dispose()
{
}
[code]....
I was under the impression that multiple threads could potentially service a web request. Is it safe to set the Current/Current UI Cultures in an HttpModule like this and have it respected for the life of the web request regardless of how many threads are involved in servicing it?
View 1 Replies
Jan 23, 2011
Is there any way to make asp.net objectdatasources to be type safe. Meaning I get a compile time error if parameters or datatypes change during refactoring?Does anyone know any other method? Or can recommend any other way to do it? I find manual binding tedious. What is other people doing?
View 1 Replies
Feb 1, 2010
I have been in the process of updating my code with security methods, and I've been learning this from [URL](or "Security Guidelines: ASP.NET 2.0"). In the middle of the page under "When Constructing SQL Queries, Use Type Safe SQL Parameters" it says "Use type safe parameters when constructing SQL queries to avoid possible SQL injection attacks that can occur with unfiltered input".
Now, what was to use code like:
"DataSet userDataset = new DataSet();
SqlDataAdapter myCommand = new SqlDataAdapter(LoginStoredProcedure", connection);
myCommand.SelectCommand.CommandType = CommandType.StoredProcedure;
myCommand.SelectCommand.Parameters.Add("@au_id", SqlDbType.VarChar, 11);........"
But, I was already using code like:
"var dataSource = (SqlDataSource)form1.FindControl("sqlDataSource5") ;
dataSource.UpdateParameters.Add("someVal", val);"
So now, to use type safe parameters, I decided to include it like:
"var dataSource = (SqlDataSource)form1.FindControl("sqlDataSource5") ;
dataSource.UpdateParameters.Add("@someVal", DbType.Int16, val);
dataSource.UpdateParameters["@someVal"].Size = 1;"
So, that would be how I would modify my current code base to use type safe parameters in sql updating/inserting.
Getting to my actual question, as it was said "Use type safe parameters when constructing SQL queries to avoid possible SQL injection attacks that can occur with unfiltered input". First off, that this should apply to unfiltered input. Also, in their example they only did this for an ID.
So, what I'd like to know, when it comes to "unfiltered input", does this mean as long as the input is unfiltered I must use type safe parameters, or even filtered input shall have this (just to be sure), like, input that has been ran through a regularexpression check? Shall I do this for all values I insert/update into the database, or just IDs and important things?
The way I see it right now is that it would be a good precaution to just do type safe checks on everything (literally) that updates/inserts into the database just to be extra safe. But, I really am unsure if this is really the best idea, because if I did, would this possibly cause overprocessing of information? Can this cause too much strain on server resources?
View 1 Replies
Mar 30, 2011
I am toying with the idea of enabling CLR on my SQL server, using EXEC sp_configure 'clr enabled', 1
However, I am sharing my database server with several other developers and their projects. I've heard vaguely that their might be security issues with enabling this.
Does anyone know what these issues might be? Is CLR safe to use on SQL Server?
View 1 Replies
Mar 15, 2011
I been reading a bit about SQL injection and I want to be sure my code is lets say "safe" from it, I was planning on using RegExp validators to check the user input but another post in here suggested only using parametrized querys, well Im using them but I want to be sure my code is safe, is it?
[code]....
View 3 Replies
Jul 8, 2010
I have created a custom Iidentity object to store specific user settings for logged in users. I was wondering is it safe to store sensitive data like userid's or other id's in the object? Is there any security risk to doing so? Also, how much is too much to store in the object?
View 1 Replies
Mar 30, 2011
Probably these are two questions in one, I am using one EF context per request, but I want to use one per thread, because I am going to make some complex task in another thread during the request. So, is it safe? If the answer is yes, how to do it? how to store objects in thread and get them back?
View 2 Replies
Apr 27, 2010
if i write this for example,
if session("authenticated") = ""
response.redirect("default.aspx")
end if
is it safe enough or should i encrypt it?
View 2 Replies
Mar 25, 2010
Is it safe to use such code?
Response.Cookies[cookieName].Path = Request.ApplicationPath + "/";
I want to know about all corner cases.
View 3 Replies
Mar 2, 2010
I have the following code in my ASP.NET project
public sealed class IoC
{
private static readonly IDependencyResolver resolver =
Service.Get("IDependencyResolver") as IDependencyResolver;
static IoC()
{
}
private IoC()
[Code]....
View 2 Replies
Feb 2, 2010
I am running IIS 6.0 with Asp.net 2.0. I need to use popups which are safe and not blocked by Virus Protection tools or browsers. I know about <ajaxToolkit:ModalPopupExtender> but my understanding it is only available with asp.net 3.5.
My questions are: 1. Are any other options to use safe popups, if so, what are they? 2. Is there a way to effectively install <ajaxToolkit:ModalPopupExtender> with asp.net 2.0, if so, what do I need to do?
View 7 Replies
Dec 15, 2010
Given a string in my database like "Computer Gadget", I am trying to achieve a url format like "http://xyz.com/products/details/computer-gadget" when a user clicks a link to the item "computer gadget" from a list view.In my list view for the products, I have Action links that read like this
[Code]....
When I hover over this link on the rendered page I get a link that looks like "http://xyz.com/products/details/computer+gadget"and the correct product detail is returned after I have url.decoded the string in my Details method. However, the returned page displays a url that looks like "http://xyz.com/products/details/computer%2bgadget"How can I get the returned url to show "computer-gadget" instead?Also when a name has "&" or "/" the server throws a Http 400 error message. I know these are unsafe values, but is there a way to work around this safely to allow the strings keep these characters?
View 3 Replies
Aug 17, 2010
My situation: when I deploy assemblies .NET in GAC, I get errors (Cannot access to xxx.dll because is in use for another process). The IIS use those dll (assemblies).
Which is the best way (more performance,quick and safe way) or all ways to stop, start IIS 6.0 Windows 2003 ? (for C#, .NET 3.5)
options, I think:
Detect IIS installed in machine.
Process.Start() using commands: iisreset /stop andiisreset /start
Use ServiceController class for get "World Wide Web Publishing Service" ( "W3SVC" )
and do stop
controller.Stop();
controller.WaitForStatus(ServiceControllerStatus.Stopped, TimeSpan.FromSeconds(timeoutSeconds));
and do start
controller.Start();
controller.WaitForStatus(ServiceControllerStatus.Running, TimeSpan.FromSeconds(timeoutSeconds));
Process.Start() using command: taskkill /IM aspnet_wp.exe /F (use w3wp.exe in Win2003)
another options that I don't know?
View 1 Replies
Mar 10, 2011
I'm in the process of creating a blog engine on my website. Nothing fancy. The user will register some basic information, including the comment itself that is the issue of this question.Inside the comment field, the user can write some text, but there are currently nothing stopping him from writing anything harmful there, that would mess up the page when rendering it with comments
View 2 Replies
May 11, 2010
Is the VSS 2005 the newest version? (As far as I've seem it seems like it is...)
Is this version compatible with VisualStudio 2005 and 2008? (it seems like it is...)
I've found some pages where they say really bad things about source safe, like VSS corrupts often and running "analyze" is recommended once a week....., check this one:
http://www.highprogrammer.com/alan/windev/sourcesafe.html or this one:
http://www.codinghorror.com/blog/2006/08/source-control-anything-but-sourcesafe.html. Should I use VSS or something else like SVN (Subversion)?
Does VSS require a separate license? I mean, for the VSS server or repository.
View 2 Replies
Mar 19, 2010
I want to use Profile Properties to keep some user information and move them between pages. I'm wondering if those profile properties are keeping data session based or when I assigned them is it same for all sessions/ Is this a safe method to use them:
<anonymousIdentification enabled="true"/>
<profile enabled="true">
<properties>
<add name="userid" defaultValue="" />
<add name="password" defaultValue="" />
<add name="username" defaultValue="" />
</properties>
</profile>
View 1 Replies