Storing HTML In Db While Avoiding Persistent Xss / Sql Injection?
Nov 29, 2010
I'm building a page in asp.net that will use tiny mce to provide a rich text editor on the page. Tiny mce outputs the rich text as html which I would like to save to a database. Then at a later date, I want to pull the HTML from the database and display it in a page.
I'm concerned about allowing malicious html, js tags into my database that would later be output.
I should html encode/decode etc. to prevent a persistent xss attack and or sql injection attack?
View 4 Replies
Similar Messages:
Oct 16, 2010
I have developed an asp.net application that I developed using visual studio express 2008.
With this application, I have 20 sales items. I can sell 10 of each item each day. Customers can order the items in advance but once an item has more than 10 orders for the day then I can not sell any more of the items for that given day. If a customer tries to order another item after 10 has already been ordered then I must tell them that no further items of that kind are available. So for each day there can be possible 200 orders total (20 items x 10 sales). Customers can order months in advance...
So, my question is what kind of storage device do I use to keep track of this kind of data? Database or application variable or other?
View 3 Replies
May 12, 2010
I've just started wokring with Asp.Net mvc and i relay love it. One thing I don't know how to do it yet is:
If I want to develope a new user control (e. g. PeoplePicker) how I get the data? I don't want to use allways ajax requests, some controls should be initialized when the page is loaded. So I could use the Html Helpers and create own extension. So far this is exactly what i want and it's working. But now to the real problem. I can't use dependency injection in extension methods (I'm using spring.net, but the problem should be in all di frameworks).
So which approche is the most common to use this problem? Must I realy pass in the data from my controller? But then the controller must know how my user controls works, I don't want that!
View 6 Replies
Oct 1, 2010
I'm using Cute Editor for ASP.NET for the first time, and it's occasionally refusing to insert or update a record. Basically the records are just composed of a bunch of HTML and text. So far I can't detect a pattern to the problem and I'm wondering about my data type.
I tried VARCHAR(MAX), NVARCHAR(MAX), and NTEXT, doesn't seem to fix it.
So what is the best SQL data type for HTML?
And could that be causing CuteEditor to refuse to insert/update records? Or something else?
View 10 Replies
Aug 31, 2010
I am storing small webpages in html format in a varchar(max) column in MS SQL server 2008. Now I want the gridview to show the column as a button/hyperlink such that when I click it, I will be redirected to a new webpage which will render the html in the table corresponding to that row.
I tried using the buttonfield control but there doesn't seem to be any way I can access the datafield and underlying html in that case.
View 1 Replies
May 18, 2010
I am building a web site similar to Craigslist. I would like to know how to store the html formatted text (bold / italics / font size etc) in a sql 2008 database?In order words, the user would enter their text, format it with font size, bold etc and save the information. Whats the most efficient way to store that in a database?
View 6 Replies
Mar 17, 2010
I was wondering if anyone had a tutorial or overview of the best way to store html in a MS SQL database, and then calling it back up and displaying it and should I save the decoded html in ntext?
View 5 Replies
May 11, 2010
I have a File Uploader in my ASP.NET application Using C#, we can upload any type like images, documents, pdf etc.
I m storing it in the Filesystem and having only the Name of the File in DB.My doubt is can we store the entire file, images in DB. State me Which is good practice and why we need to use it.
Either file System Storage or SQL DB Storage.
View 4 Replies
Jun 7, 2010
Is there a way to set a persistent session that would not expire when closing/re-opening a browser. The cookie that is used to store the session_id expires when the browser is closed.
I know we can make the Auth persistent (stay logged in when we close and re-open a browser). In this case, the cookie does NOT expire when the browser is closed
View 1 Replies
Jun 29, 2010
i am creating cookies with following lines:
HttpCookie userid = new HttpCookie("userid", objUser.id.ToString());
userid.Expires.AddYears(1);
Response.Cookies.Add(userid);
Now How to make it persistent?
Because if I visit the same page again after closing the browser, I'm unable to get it back.
View 3 Replies
Jul 28, 2010
I have currently have a web application that caches a large amount of data (several hundred thousand entries) in memory for quick lookup and then in SQL Server as a persistent cache. Basically the information consists of geocodes of addresses where the geocode is retrieved via a remote web service which takes time if needed to be called continuously rather than cached.
Would using RavenDB (or other suggestions) be a better way of caching this information in a persistent store in terms of both speed and memory?
View 2 Replies
Jan 18, 2011
I am generating an output on a webpage in a format like this
({"1":"Jeff","2":"Tom","3":"Michael",})
For this, basically this is the code I am using
Response.Write("(" + "{");
//
for (Int32 i = 0; i < k.Length; i++)
{
Response.Write(Convert.ToString(k.GetValue(i)) + ",");
}
//
Response.Write("}" + ")");
Notice my output, after Michael" there is a comma which I do not want since this is the last vaue but this is appearing since , is in the for loop. How to prevent this/remove this last comma from appearing?
My output should be ({"1":"Jeff","2":"Tom","3":"Michael"}) (There's no comma after last value here)
View 8 Replies
Feb 24, 2011
I recently read an article on making ASP.NET sessions more secure here and at first it seems really useful.
Previously I had been storing the user's IP address in the session, then making sure in every subsequent request that the requesting IP was equal to the stored IP.
The code in the article also protects the session by checking the IP address, except it stores a hashed message authentication code containing the user's IP as part of the session cookie. It creates a hashed MAC twice every request, which I imagine would slow things down a little.
I can already see a potential flaw in their code: if you were to somehow get a hold of the key used to generate the MAC, you could then generate a valid MAC with your own IP - you wouldn't even have to fake the IP the session was started on.
It seems like an overly-complex solution to a simple problem which not only incurs a larger overhead but also is more susceptible to attack than the trivial method - unless I'm completely missing the point.
So, why would this approach be any more secure than the more simple approach that I had been using?
As a slight aside, the author also states that you shouldn't use the whole IP address in the comparison, as some user's IPs change every request if they are behind a proxy. Is this still the case if you check X_FORWARDED_FOR?
View 1 Replies
Jan 31, 2011
I'm having issues with an ASP.net site (framework 3.5, IIS6 ) having very slow 'first hit' response times. I'm guessing that the issue is to do with the app pool recycling and having to warm up.
I got to thinking. As part of the site I have a HTTP module that spins up a 'never ending loop' on a separate thread which periodically (every 5 seconds) calls an sproc on SQL to make sure the database is still there. I'm wondering if a similar approach might work to get the site to make an HTTP request to "itself" as a keep alive.
My question is, before I go and do this, can anyone think of any reason why it won't work? For example, something like "oh no... ASP.Net will figure out that you're playing with yourself and not go through the whole page lifecycle... etc etc".
View 1 Replies
Sep 24, 2010
avoiding postback using updatepanel
View 4 Replies
Feb 19, 2010
I have a button in my page. If i click enter in the page the button click event is getting fired. How can i avoid this?
View 9 Replies
Dec 21, 2010
I want my cookie to disappear when the user closes their brower-- I've already set some promising looking properties, but my cookies pop back to live even after closing the entire browser.
HttpCookie cookie = new HttpCookie("mycookie", "abc");
cookie.HttpOnly = true; //Seems to only affect script access
cookie.Secure = true; //Seems to affect only https transport
What property or method call am I missing to achieve an in memory cookie?
View 4 Replies
Aug 8, 2010
i have a list of fields that i would store for all the user session. I thought to create a class, insert the information in it and store the class in the session but i'm not sure this is the best way to do it (performances, etc). I should have a list of these informations that i can display in views, i can delete and i can update. How could i do this?
View 10 Replies
Apr 25, 2010
I need to connect to a WebService provided by someone else. This WS (all https) has three methods that are accessible without having logged on:
login, logoff, getVersion . All other methods require that the login-method has been called before. Nothing special unto this point. However, the docs state that I have to make sure that (quote):
"All method calls between login and logoff are to be carried out by means of the same persistent http-connection (key word: http persistent connections or http connection reuse"
I seem to be unable to figure out how that would work - all WS'es I ever utilized were either taking user/pwd combinations in each method call or the login-method returned something like a SessionID which was then used for each subsequent call to a given method (i.e. passed as a parameter). If I call the login-method and subsequently call any method that requires authentication, the call will fail with an exception telling me that I need to log in first.
View 1 Replies
Jul 29, 2010
I have a web parts page in which each web part has its own personalization data(list of DB table primary keys). At startup, I want to get thecombined data stored in each web part to make a query in the background. Is it possible ? Currently I have to wait for IPersonalizationData.Load for each web part to get what keys are stored by each. Is there a way to store personalization data for the whole page ? I can't use profile as this data is not per user. Worst case is write to a file which I want to avoid if possible.
View 2 Replies
Mar 23, 2011
I have 2 points for today I. I have a controller in which i have a public static method for getting the details for a checkbox like
[code]....
is it ok for me to use this same function like this one in the view, so that I do not need to use the viewdata object,
<%: Html.DropDownList("country", new SelectList(UserController.GetCountryLists(), "value", "countryname", "0"))%>
Also i have another query, when i use the same id & name for the radiobuttons, validation at the client side is working fine.If I use the same condition for a group of checkboxes, i get do not get the checkboxes highlighted during client validation and only during server validation, i get the error message, but the controls [checkboxes] do not have a red border indicating the error.I have used my own html helper to generate the checkboxlist as per [URL].
View 1 Replies
May 31, 2010
I just did an audit of one of my web application page (built using ASP.Net and running on development server) using Google chrome's developer tool. One particular warning caught my eyes:
Serve static content from a cookieless domain (5)!
Here is my screen shot [URL] as well. I would like to know is it possible to avoid cookies for these kind of requests. I see that there is no cookie requests for javascript files as well. I it possible to avoid cookies in the header for these files as well? and why didn't the browser attach cookies for javascript files and attach for CSS and image?
View 1 Replies
Sep 9, 2010
Like many people using ASP.NET MVC, I've implemented my own custom 404 error handling scheme using an approach similar to the one described here: [URL]
(I actually discovered that post after implementing my own solution, but what I came up with is virtually identical.)
However, I ran into one issue I'm not sure how to properly handle. Here's what my 404 action in my ErrorController class looks like:
[Code]....
The part that's different from the answer in the other StackOverflow question I referenced above is how the 'retry loop' is prevented. In other other answer, the code that prevents the retry loop simply sets properties on a ViewModel, which doesn't seem to actually prevent the loop. Since the action is sending back a response code of 404, then accessing the action directly (by typing "/Error/NotFound" in the browser) causes an infinite loop.
So here's my question: Did I miss another, more obvious way to handle the retry loop issue, or is my approach a decent way to do this?
View 1 Replies
Dec 21, 2010
I have a website I am working on and I am using the following code quite often to access the database:
[Code]....
I have a few buttons on one page that use something similar like this in the code behind. I have heard to look into ADO.NET but I was wondering if there was a quicker way then creating model and business layers etc.
View 2 Replies
Apr 5, 2010
i am using simple form in that i put 3 upload option when i click the upload button the 3 files are stored in to unique directory. but when i refresh the page once again again it store the file once again to the directory . how to fix this problemin asp.net C#
View 5 Replies
