Inserting / Outputting Html In Runtime Poses Security Risks
Apr 24, 2010
I'm building a website at the moment, I've some html fragment that is being stored into the database, I've been reading around that inserting HTML at runtime poses security risks by using the InnerHTML property of any html tag with runat server on it. So, my question is there any alternative way to safely display the html code and won't pose security risks and is it best to assume any textboxes on any given page is dangerous and process the text in the textboxes with Server.HtmlEncode before I store it to database?
View 1 Replies
Similar Messages:
Feb 11, 2011
I have to create a utility through which user can able to upload singh or multiple files with the use of asp.net FileUpload Server control.
I am looking for Security concern for the same. What are the points need to keep in our minds which violate security. One main issue is in my mind is related to Viruses - means
How to prompt user for viruses and terminate the upload operation How to scan files for viruses during upload operation There may be several Security risks. discuss the issues/risks with proposed solutions.
View 1 Replies
Jan 29, 2010
I'm very new to MVC (just started 2 days ago), and I would like to know what the best practice is for outputing HTML.
I have a model named Tools.cs which contains the code below. It uses a stored procedure to return a recordset of menu items, and another to return a second level of menus for each first level menu. In another function, I then loop through the recordset and generate the HTML code to display the menu in a string, which is then returned.
I then have a controller MenuController.cs which calls the GetMenu method and puts the returned HTML string in the ViewData["RightMenu"].
I then have a view which displays the result.
My question is: would it be better practice to return my datareader to the controller into ViewData["RightMenu"], and then loop through it and construct my HTML in the View instead?How would I get that to work with that second level of menus?[Code]....
View 2 Replies
Aug 10, 2010
Is there a way to disallow the asp:Literal from outputing HTML ?
If I input the text <b>Hello world</b> I want to show it just like that, and not in bold.
If possible I don't want to extend it, because I would have to change the whole project.
View 3 Replies
Apr 3, 2010
[Code]....
Above Web Method compiles but does not work. Originally was using Console.* stuff, but that didn't work either. The string arguments are remote URLs. What's wrong with this code?
View 3 Replies
Nov 2, 2010
I need to allow the user to submit queries as follows;
/search/"my search string"
but it's failing because of request validation, as outlined in the following 2 questions:
[URL]
I'm currently trying to figure out how to disable request validation for the quote character, but i'd like to know the risks before I actually put the site live with this disabled?
View 1 Replies
Jul 27, 2010
I have searched endlessly for an answer but found nothing useful! I'm writing a simple blog application using Web Matrix and its going pretty well, but I have run in to a problem. I am storing the content of each blog post in a ntext field in a table with the intention of entering HTML in to the database and then have my application pull it out and insert it in to a few different view pages. The problem is that all of the '<' and '>' characters are getting converted in to '<' and '>' when my application pulls the HTML from the database and displays it. I understand that this is for security (preventing code injection?), but only trusted users will ever be able to write posts using my application. Here is a screen shot of what gets displayed by my application:
Is there a way to disable this behaviour or work around it somehow?
View 3 Replies
Mar 15, 2010
I have Uploaded my website where I have made a Forum/Blog...
and to insert post I have used HTML text Editor...
But I cannot understand How to insert Images in it...
I can insert it by giving url of any image in src value.
But if image is not available on nt and I want to insert it from my computer then how will i insert it.
View 3 Replies
Jan 31, 2010
inserting a .swf or flash files in visual basic asp.net give me coding sample or procedure or a link to inserting a flash files in my web form in vb asp.net
View 2 Replies
Jan 30, 2011
I am having trouble putting all of the pieces together.
Can anyone give me an example of code to use with ASP.Net 3.5 that will send an HTML email using a Table in the Body? Or as the Body?
View 5 Replies
Jun 24, 2010
I have some html data stored as binary in sql server database. After pulling this from database i am rendering the same using response.write(str);// Str is the html data...
now problem is while rendering the page the gets wider & horizontal socrll appears..
Now what i want the horizontal socrll should not appear.
way by which i shold create the container. Mine html data should reside within the container.
View 3 Replies
Feb 1, 2011
I am trying to add some widget-functionality to the CKEditor using custom plugins.. Does anyone have any experience parsing the resulting html or getting the job done in another way?
What I am looking for is to add something like a news-block at a user specified place in the text, like an ordinary image..
I have thought of several options, like just adding an iframe that takes care of the content automatically (from the src url in the iframe), but that way I loose the text formatting/css.. I have also thought of adding the content dynamically with some ajax onload, but that way I might loose some viewers..
Finally I have come to the conclusion that using custom tags like <something options="..." /> or even <div class="something" options="..."></div> and then replacing them with usercontrols is the best solution.. But how to accomplish this? I know how to add controls to other servercontrols, but how to add them easily in some random text? It could be something like putting the text prior to the widget and after into a placeholder and adding the widget-control in between..
View 1 Replies
Jan 4, 2011
I am using Visual Studio 2010 for an MVC website project. I have an big problem and dont know hot to solve it. When i am looking to the output of html in firebug indents in my aspx and ascx files are outputed as space in same places. I think its about line ending of files but i am not sure how to fix them. I am adding some pictures about problem.
When i am adding a breakpoint it also add red background to spaces (this is problem) I try to delete spaces after hit ctrl+k d same problem happen. If i delete all indents make page 1 line without spaces output is fine but it not a solution.
View 1 Replies
Aug 25, 2010
i want to send one html page with email. the contents of label in it will get change.can any one tell me,how to assign text to label in vb.net code at runtime.
View 4 Replies
Nov 20, 2010
I can't seem to add a new member when using the CreateUserWizard.... All my validation seems to be working...I don't think it is wired up correctly though because: 1. No user is added to the database (remote) 2. CompleteWizardStep does not fireI tried to see if anything was happening by stepping through the page's VB code and flagged...AddUserWizard_CreatedUser sub...but it did not fire...I created a user using the built-in ASP.NET Configuration Wizard.. I also created a login file and I can successfully login.... just can't create a user with the CreateUserWizardmy hunch after some investigating is that I am missing something in my web.config file...I suspect I need something under the <authentication> tag???
View 3 Replies
Jun 8, 2010
The following link describes the relationships between a Partial View and its parent in terms of ViewData: [URL] In relation to the text: "A partial view enables you to define a view that will be rendered inside a parent view. Partial views are implemented as ASP.NET user controls (.ascx).
When a partial view is instantiated, it gets its own copy of the ViewDataDictionary object that is available to the parent view. The partial view therefore has access to the data of the parent view. However, if the partial view updates the data, those updates affect only the partial view's ViewData object. The parent view's data is not changed"
how the parent view can make use of the new data added or existing data changed and updated, by the partial views? My question is around how to load partial views dynamically at runtime using Html.RenderPartial(...) whilst having one version of the data used and updated by the parent view and it's children.
View 4 Replies
Mar 28, 2011
I have images stored in my database table and looking to read from the database and output these images in my asp.net page.
View 3 Replies
Feb 10, 2010
I have 50 checkboxes that I need to write onto an aspx page. Each checkbox comes with 3 textboxes.
Example:
chkbox State Name donation new donation
chkbox CA Sam 10 15
chkbox AK Sam 15 20
Now this shall go for all 50 states, depending on which states the person wishes to donate. In each state's row shall be a checkbox. So initially the page shall have value 0.00 in donation and new donation checkboxes, but all 50 states shall be visible. When the person puts a value of donation in certain state, that state shall get "checked" value and the donation, after submitting. On reloading, the value shall be populated automatically and checkbox checked automatically.
How do I make these 50 checkboxes in VB.NET? Do I have to write the table in .aspx with 50 <tr> tags, and then have VB.NET code populate it? Can I otherwise dynamically write these checkboxes from VB.NET code?
View 2 Replies
Jan 25, 2011
I have a csv file with 5 columns. I need to read this file using c# and have to write the contents to the table in database which has 5 columns to it.
if anyone know the code or steps to do this.
View 8 Replies
Jan 17, 2011
It seems really easy to output a sqldatasource into a table but really hard to output a sqldatasource into a variable.
View 2 Replies
Nov 12, 2010
I have a file, a.pdf, stored on a SharePoint server behind Windows authentication. I want to make a.pdf available through another Web app with forms authentication. Basically, link is clicked and up pops the open / save as dialog for the pdf (or other document file) I've set up my HTTPWebRequest and passed credentials, getting my data into a stream (file.GetResponseStream).
I've tried converting the stream to a byte array and then using response.write or response.output.write with no luck (stream not seekable) I've tried using a streamreader and doing a response.write(streamreader.readtoend()) and response.write(memorystream.toarray(),0,memorystream.toarray().length) with no luck (the message received from the server could not be parsed).
View 3 Replies
Mar 28, 2011
when using Forms Authentication to validate against a SQL database, all the Forms Authentication samples utilizes the connection string from the web.config file. Is there a way of specifying the connection string for Forms Authentication to use, programatically at runtime?
Without going into great details, my web app will be utilizing different databases depending upon other factors. So, sometimes, the app will be utilizing Database1, and other times, Database2. Both databases will have the same Forms Authentication tables, just different values.I'm hoping there is a simple way of just specifying the database connection string to utilize, without having to go so far as to start implementing my own custom providers. Yet, I haven't come across any documentation that talks about how to do that (yet).
View 8 Replies
Jan 23, 2010
1. On OnCreatedUser event, I create a folder for each members, so that they can store their files inside those. The thing is I use User.Provider key as a folder name. Is this a good way to store? Is this OK from security view point. Otherwise I am planning to use the User.Username. Here are the codes inside the OnCreatedUser event.
[Code]....
2. Inside these user folders I want to put web.config at run time [at the time of registration]. So that a member cannot access files of other members at any cost. Do you have any idea on creating web.config file at runtime inside these folders? Else if you can provide me any other options, I am eager to listen that. I don't want to call database frequently. So if there is any easy solution.
View 3 Replies
Apr 24, 2010
i have an asp.net controller that output Json as the results a section of it is here
returnString += string.Format(@"{{""filename"":""{0}"",""line"":[", file.Filename);
what i get returned is this:
"{"DPI":"66.8213457076566","width":"563.341067","editable":"True","pricecat":"6","numpages":"2","height":"400","page":[{"filename":"999_9_1.jpg","line":[]},{"filename":"999_9_2.jpg","line":[]}]]"
i have tried to return with the following methods:
return Json(returnString);
return Json(returnString.Replace("\","");
return Json will serialize my string to a jSon string, this i know but it likes to escape for some reason, how can i get rid of it? for info this is how i call it with jQuery:
$.ajax({
url:"/Products/LoadArtworkToJSon",
type:"POST",[code]...
View 1 Replies
Mar 31, 2011
I've an ASP.NET MVC web site and I'm using AspNetSqlProvider to configure Secutiry
So, I runned aspnet_regsql command to create and configure aspnetdb database that hold users, roles , etc....
I use the asp.net application web management to create roles, users , etc... Ok
But I would like to create roles at runtime :
- If a new user visit my application, I would like to register it as a user and affect it a role ( Visitors)
- If a seller N visit my application, I would like to create a role ( seller N) to register the vositor as admin of seller N
How can we manager this scenario using my configured database aspnetdb ?
View 1 Replies
