Security :: Allowing User To Input HTML Code Securely?
Jan 30, 2011
I have a CMS page that allows the user to paste in or type HTML code into a TextBox in a FormView, then do an INSERT or UPDATE operation to an nvarchar(MAX) column in an SQL table. This is using an ObjectDataSource that refers to an insert or update method in a TableAdapter in my dataset.
When testing, the server initially warned me when I tried to input or update text containing HTML code; so I set the validateRequest="false" in my page header.
I gather this can be a serious security risk. What's the proper way to "validate" the string being input? Am I opening the database to SQL injection?
Only the site administrator has access to the CMS, but malicious could theoretically bust their way in...
View 1 Replies
Similar Messages:
Oct 28, 2010
I have a problem with the below one. This Javascript:void(0) is stopping me from showing the page securely with https. What is it actually? I have no idea about javascript.
var clear="js/clear.gif"; //path to clear.gif
document.write('<script type="text/javascript" id="ct" defer="defer" src="javascript:void(0)"></script>')
This file has the name js/unitpngfix.js*...i tried to see if it is being used anywhere. Yes, it is being used and all the pages that use this will not be shown as https. In the Master page, it was used like this
View 1 Replies
Dec 2, 2010
I'm working on an application (ASP.NET, Webforms) that generates a list of outputs based on a user input. I want to allow the user to save the contents of said list as text file, or possibly as other filetypes such as .csv. What is the best way to approach this? Can it be done client-side with Javascript?
View 2 Replies
Aug 22, 2010
So I have a fairly simple web site which allows an Administrator to edit some data in a database which is displayed on some web pages.
The main navigation on the site is shown in the code snippet below. The Admin link goes to a Login.aspx which allows the Administrator to log in - once authenticated they get sent to the data edit page.
So my question is, how could I dynamically add a link to the data edit page in the <ul> list below once the user is authenticated ?
This would allow the authenticated user to see links to the secure pages in the main navigation bar.
[Code]....
View 6 Replies
Feb 7, 2010
In my web.config I have
<globalization
fileEncoding="utf-8"
requestEncoding="utf-8"
responseEncoding="utf-8"
culture="en-US"
uiCulture="de-DE"
/>
In my page directive I have
ResponseEncoding="utf-8"
Yet for some reason an ASP TextBox with the TextMode="MultiLine" allows inputs of characters outside of UTF-8. When I paste the following line of text into an ASP TextBox that is not MultiLine
the non UTF-8 characters are replaced, but not when I use a MultiLine TextBox.
EDIT: To explain a little more the set up I am seeing this problem in, here are 4 text areas that can be put on an ASP page.
<asp:TextBox ID="txtTest1" runat="server"></asp:TextBox>
<asp:TextBox ID="txtTest2" runat="server" TextMode="MultiLine"></asp:TextBox>
<input id="Text1" runat="server" />
<textarea id="Textarea1" cols="100" rows="8" runat="server">
View 2 Replies
Dec 18, 2010
When i run my page on https it giving me error Do you want to view only the web page content that was delivered securely?
This web page contains content that will not be delivered using a secure https connection. Which could compromise the security of the entire web page. This error i am getting when running it in IE8 In Morzilla i am having warning...Contains Unauthenticated Content. i have checked my page source code but not find any http content all are having relative path etc.
View 4 Replies
Jan 17, 2011
I'm building a website for a client on which they want site visitors to be able to fill out a form with the relevant information along with their credit card details, and when they submit the form, the information will be sent to the client in an email. This is an experimental services that they're offering so they're not interested in real time credit card processing yet. If I just zip the collected data up into a password protected zip file, and send that in an email to the client, would it be secure? Or do I have to go further than that to secure the data?
View 1 Replies
May 11, 2010
I have a page in MVC where i want to take the email adddress as the input which can be of format like:"Jone Davi" <jone@gmail.com>, "Ben Miller" <ben@gmail.com>, "Jane Ton" <jane@gmail.com>,
Then from this I want to parse the valid emailaddress.But on click of the submit button getting error message" A potentially dangerous Request.Form value was detected from the client" Thus is there any way to take the input of email address in above format and bypass the security error for that specific page.
View 2 Replies
Sep 15, 2010
i have to inplement a taglib(java) kind of functionality in asp.net application.I need to send parameters from the aspx file eg(<cc:displayhtmld="id1" runat="server" customparam="123"/>) and i need to write some Html base on the input provided by the user can somebody please help as to how i can do this.
View 6 Replies
Jan 26, 2010
I want to integrate paypal inside my shopping cart. For that it requires a html form to be embeded inside .aspx page with the action to paypal and method is post. Inside that form there are some hidden input filed. I want to assign one of those hidden field's value from server side code so i need to access that filed from server side. But how? Here is my form:
<form action="[URL] method="post" id="PaypalForm">
<input type="hidden" name="cmd" value="_cart"/>
<input type="hidden" name="upload" value="1"/>
<input type="hidden" name="business" value="[URL]
<input type="hidden" name="item_name_1" value="Item Name 1" />
<input type="hidden" name="amount_1"/>
<input type="submit" value="PayPal" />
</form>
I want to access amount_1 filed.
View 3 Replies
Jun 3, 2010
I want to prevent cross site scripting in my website.....is dat good to use innerhtml,htmlencode?
View 3 Replies
Jul 15, 2010
After going through few asp.net 2.0 books surfacially, I want to accomplish most of the task using c# code and Sql database.
1.we can access and update data using various ways like using sqldatasource code, data reader,command object,dataset,datatable etc.But which one to use in which situation?I am very confused.what do you prefer most,why?
2. How to code professional way? I mean how to separate code using different classes and how to link all togerther?
3.I want to design a webform for entering/editing user input using c# code and use presentation control like gridview and detailsview for viewing,paging and sorting only.Is this possible?
View 2 Replies
Aug 30, 2010
how to handle html and scriptswhat . if I build my own CMS? Isn't it inevitable that I'll want to store html code, possibly scripts, and almost certainly apostrophes and special characters, and then display them again.
What's the best way to do this, since I wont want to display the encoded html, but the html itself.
Would it be to encode everything then when I want to actually display the html, decode it, but everywhere else, keep it encoded?
I'm just trying to think of all the scenario's that I could come across when I accept user input where I don't know what they could be typing in. What if I WANT the user to be able to display html? Is it possible to decode only some tags but leave all other tags encoded?
View 10 Replies
Jan 20, 2011
"System.FormatException was unhandled by user code - Input string was not in a correct format"
This is driving me crazy! Can anyone see what the problem is?
[Code]....
View 15 Replies
Sep 19, 2010
[Code]....
If the table no data is displayed this error:
System.FormatException was unhandled by user code Message=Input string was not in a correct format.
[code]....
View 5 Replies
Nov 30, 2010
I'm looking for a way to have user upload as many images as they want (perhaps via drag and drop) or dynamically adding more upload box.I thought statically fixing (say 6) HTML upload input box is slightly limiting and the user have to click "Browse" button (6 times in this example) and navigating to the folder to pick the file.What is the best practice to achieve this so users find it easy to use? Perhaps with some AJAX magic?I also wouldn't mind having the user click "Upload more" to reveal (say 6 more) HTML upload input box.
View 2 Replies
Jun 24, 2011
I am using HTML Input control that will open a file dialog window where user can select a file.
Is there a way to set a path from where to open the window. Right now it looks like the default folder is "My Documents".
I need it to point to something like "ftpexternalftp$Data"
View 1 Replies
Oct 1, 2010
Since I'm new to coding and I'm trying to understand why here is a little more detail on the question.If you have a text box and you are limiting the input to say 2 charactrs do you really need to validate the input further? What I have is a text box that has a max length of 2. Is there a security reason to add a validator to the textbox. I should add this is in Asp.net.
View 8 Replies
May 27, 2010
how can i generate rtf file based on input field(textbox input by user) c#
View 3 Replies
Feb 26, 2011
i have a pdf file and want to allow user to upload a gif file of their signature and display the signature in my pdf file...
follow the link [URL]
View 1 Replies
Aug 4, 2010
I would like to program an Input Box that comes up when a user clicks 'Find' button. It asks 'Please enter an employee number'. Then it takes the employee number typed into a text box and searches a dataset for that specific employee record.
I know that it should be server side because the client may not have the proper javascript installed or diabled. Therefore, can someone give me some code to put in code behind that can pop up an input box and use the input after, if this can be done?
View 1 Replies
Oct 5, 2010
I have a third party company that we need to allow they users to pass into our website without loging in. TO keep it easy I was thinking of having them post to a custom login page on my site.
So their code would be something like this:
[Code]....
My landing/login page would do soemthign liek this.
[Code]....
My question is whether there are any security issues when using this kind of method? I am not sure yet what their site is written in. I figured that they could figure out how to do the post as long as I have the landing page for them and there is no security issues.
View 4 Replies
Feb 26, 2010
I have a web.config file with <authorization> section. I'm using window authentication.
The problem is that I would like to allow access to the web site to those users who are in multiple roles.
For example:
<authorization>
<allow roles = "Role1 AND Role2"/>
<deny users="*"/>
</authorization>
(Meaning I would like to allow access only to those user who are both in Role1 AND Role2.)
Is this possible to achive this?
If not, what would be the alternatives?
Note: Currently I'm doing the roles assignment in the Global.asax file in the OnAuthenticateRequest event (i'm reading the groups that the current user belong to in the Active Directory).
View 4 Replies
Jul 9, 2010
I've noticed that setting ValidateRequest="true" on the page blocks input of the form • but not • - which are the same characters. Does anyone know why the first type is not allowed but the second type is?I really could not find a place where it defines what is meant by dangerous script and what is actually blocked when the ValidateRequest is set to true.
View 3 Replies
Apr 11, 2010
Something is wrong with my registration page. After I register a user, it goes to the complete section of the page, but anytime I return to the register page, it only displays the complete section instead of allowing me to register another user. I tried logging out, but that doesn't change it. What have I done wrong?
View 1 Replies
