I usually use HttpUtility.HtmlEncode and HttpUtility.HtmlDecode for this but my fear is that someone injects some nasty javascript, I encode it before committing it to the database so it doesn't harm me but the next person who pulls up the page, gets the javascript because I decode the HTML before rendering the page.
What's the best way to handle this in public facing websites?
I have written a namespace for a guestbook for my personal website. When I use a quote(") or single quote(') in a guestbook message the system(server) gives me a warning there is an error in my SQL syntax.
Incorrect syntax near 'are'. Unclosed quotation mark after the character string ')'.
I have tried to implement the answer of an older topic written by me in the namespace. But it gives me errors. [URL]
how to protect this namespace against SQL injections?
[Code]....
I have several text boxes in an ASP.NET Web Form. I want to ensure that users are not entering HTML into those text boxes. However, I'm not sure how to prevent HTML from being entered. Because of this, I decided that I want to only allow alphanumeric characters, spaces, exclamation point, sharp sign, dollar signs, percentage signs, carets, stars, and left and right parenthesis. I'm omitting the ampersand because I do not want them entering something like "<script&rt;..."
View 4 RepliesI am using microsoft visual web developer 2010 to build and publish my website, I am facing a security problem. My website has authentication service for my clients, each one he has his own user name and password. After I introduced a new member, my database collapsed, may be this last member is a hacker. Is their a way to improve security vulnerabilities to prevent future attacks. May be through web.config, could be encrypted.
View 11 RepliesI would like to render a simple list of - Controls.My ASP.NET Code-behind looks like:
RadioButtonList list = new RadioButtonList();
list.ID = rbl.name;
list.CssClass = rbl.cssClass;
[code]...
When you render one of the "built in" html helpers (say "TextBoxFor") with ":" (so it's encoded) it renders fine.However if I render the following (a custom file input helper) with ":", the markup are displayed.I understand why. Just don't know how to prevent this (no, I want to stay with ":" and not use "=")(I looked at the source code for the built in ones, but can't see what I'm missing: ttp://aspnet.codeplex.com/SourceControl/changeset/view/23011#288010 )
[Code]....
I am using in C# HTML EDITOR Control MS Ajax.
I would like to know if is possible FORCE the control HTML EDITOR to DO NOT ACCEPT text from PASTE (short cut ctrl+v or menu command).
My aim is to prevent css inline code to be added to the text.
I would allow user to add text if pasted just with HTML EDITOR Button PASTE PLAIN TEXT.
I'd like to have an asp.net textbox that people can paste content into and it works like notepad, i.e. no formatting or special characters will get entered. I take text and pass it to a web service which manipulates it and converts it into a tab delimited file. The problem I've experienced is sometimes people copy from MS Word and paste that content in and somehow even the tab characters etc. get passed to the web service. I run routines now to strip that information out but it would be so much easier if the textbox on the web page didn't capture anything but the text itself, i.e. visible characters (numbers, letters, punctuation).
View 3 RepliesI want to prevent users from entering url's (like a href="") in a TextBox.
I want to use a regular expression validator but no idea what to write?
How can I do it?
I have a GridView bound to a DataTable that I construct. Most columns in the table contain the raw HTML for a hypelinklink, and I would like that HTML to render as a link in the browser, but the GridView is automatically encoding the HTML, so it renders as markup.
How can I avoid this without explicitly adding HyperLink, or any other, columns?
I'm using the ajaxcontroltoolkit htmleditor to create blog posts for my website. The editor works fine when entering a new article. When I click the Bold button, the text appears bold. When I hit enter, the editor creates a new line, etc. However, I also use the htmleditor when I want to edit a preexisting article. The problem I'm receiving, is when I bring a preexisting article into the editor, it displays a mess of html tags rather than the clean, formatted text.
For example, if I type the following into the editor:
...when I go to edit it, it shall appear as:
[Code]....
Is there any way to force the editor to display this text properly when editting rather than showing the html tags?
It's great that Razor HTML encodes by default. However, many times I have HTML in a database and want to display it literally on a page. In WebForms 4, we can use <%= %> and <%: %> to choose between encoding options. Raven's syntax is currently @(new HtmlString(Model.Greeting)).
add a shorter syntax to Razor. Something like @=Model.Greeting or @@Model.Greeting, or something else.
how to prevent copy pasting option textbox
View 3 RepliesI have a textbox with a calendar icon next to it. When the icon is clicked a popup form displays the calendar control. I have it set up where they can only select the week ending date(saturday) and that date is displayed in the textbox.
I want to prevent users from editing the textbox. I've tried using the readonly and enabled properties but that doesn't work.
How can I keep users from modifying the date in the textbox?
I have a page in which the user enters a password and verifies it. Below these controls is a link that will pull information and fill out other parts of the page.
No matter how I arrange the update panels, the password textboxes are cleared out. I don't want to use session, viewstate, or attributes as it is my understanding that will leave the password in the html of the page when rendered. I thought the whole idea of using update panels was so that one portion of a page could be updated without affecting another portion (for example clearing passwords).
I have a page.Design is
[Code]....
I have 4 xml files.
And my code is[Code]....
[Code]....
[Code]....
When i enter tagid,if existing tag name will come.otherwise in tagname custom will display.simillarlly When i enter tagname if exists tadid will come,otherwise in tagid custom will display.My problem is when i click on submitt button in both tagid,tagname custom will save in database.
how can i passing a value form ActionResult to html.textbox or Html.TextBoxFor in View
View 2 RepliesI have some data which is HTML format saved in database. Like the chat as follows.
Roy, 2/11/2011:
Sree, 2/11/2011:
But it gets saved in some HTML format in Database as follows.
[code]....
So, Is there any ways that I can show this in Text box as what I need. While debugging the code, when I did HTML Visulaliser, it showed me correct format. How can I achive this in my Textbox control.
I have a textbox which I need to enter html code into (like < strong> or < em> for example).The trouble is this is causing an error writing this back to the database. A potentially dangerous Request.Form value was detected from the client (tbVOther="< strong>testIs there a way around this without turning off the request validation setting?
View 3 RepliesI have TextBox which
id="test" AutoPostBack="true" OnTextChanged="server event"...
On Client Side I write logic if fail prevent Server Event fire.
I try
[code]....
I can see the alert fire, but can not prevent the server side event fire.
I've set up a page where create logins with createuserwizard. I can login with created account but I get logged out after like 20min if I dont do anything (reload etc). How can I remove this timeframe? I dont want a timeframe at all, i want to stay logged in until i close the browser.
View 3 RepliesI have a comment form inside the blog posts. in the form, if the user is authenticated, I will assign the values of the user into textboxes. that part is as follows;
[Code]....
But when I add HTML.TextBox instead of HTML.TextBoxFor, I am not getting validation if the user erase the fileds. Also, this form is inside the indext page and it is related to another action as follows;
[Code]....
so I cannot assign ModelState.AddModelError from controller.
What should I do here.
Whenever I enter data in a text box, such as two words with many spaces in between, on postback .Net appears to automatically replace the many spaces with one space. I want the data to be exactly as it is entered in the text box.
textbox: word1 word2
postback result: word1 word2
desired result: word1 word2
I am trying to prevent users from submitting ascii codes in a textbox using a RegularExpressionValidator.
This works fine and I am able to display an error.
However when the user clicks on another button on the page I get the "A potentially dangerous Request.Form value was detected from the client" error. Is there a way to prevent this?
When I load the login page & enter user name the textbox of the password is showing the password I want each time I enter the user name, the textbox of the password being empty and I should enter the password myself...
View 1 Replies