Security :: Mitigate The XSS / HTMLEncode And HTMLDecode?
Oct 6, 2010
Trying to protect against XSS on a CMS I'm working and I therefore encode all necessary client input but on retrieval from DB, I'm getting all these funny HTML characters displayed on the HTML Page as a result of the encoding.
I'm considering appending a decode on retrieval but I'm wondering what the point of the inital encoding is if I decode eventually.
Please how do I effectively mitigate the XSS issue using the encode/decode avenue.
I have a text area and I want to store the text entered by user in database with html formatting like paragraph break, numbered list. I am using HTMLencode and HTMLdecode for this.Sample of my code is like this:
If user entered text with 2 paragraphs, str1 shows characters between paragraphs. but when it writes it to screen, just append 2nd paragraph with 1st. While I'm decoding it, why doesn't it print 2 paragraphs?
I have a url which I wish to encode that contains a couple of encrypted querystring parameters:
I've been asked by a client I'm working with to html encode this url. I've used HttpUtility.HtmlEncode() to do this. This returned the following:
This appears to be correct as the '&' has been replaced with '&'. However a problem arises when I try to use HttpUtility.HtmlDecode() on this new value as I get the following returned:
What appears to have occurred is the '&' has had the 'amp' removed and the ';' has been html encoded (I checked the value of '%3b' and it corresponds with the html encoded value of a semi-colon). I'm not sure why this is happening?
I realise I could manually do a .Replace("%3b", "") as a temporary fix but I can't see this being a good long-term solution.
I have many Ajax.ActionLink's on my ASP.NET MVC (v1) page that perform destructive operations. This is "legal" because I set HttpMethod to DELETE in this case so it's not a destructive GET.
My question though is how to mitigate XSRF attacks on this operation so that other sites cannot craft this same Ajax DELETE request to delete user data from another site. This ActionLink does appear within a form that includes <%= Html.AntiForgeryToken() %> but since ActionLinks don't post the form, the anti-forgery token doesn't go to the controller, so it can't validate it.
I have written a tiered application for a mate of mine to store and manage his massive CD collection. When I save the Album name I HTMLEnchode the input. I then use a drop down list on another page that pulls back all the Albums liked to a Specific artist but when i get the data back from my Object data source the data is still enchoded. At what point do i need to decode the data? Is it right at the begining in the DAL or in the actual drop down list.
I have a list of character that display fine in WebBrowser in the form of encoded characters such as € � ... But when posting these characters onto server to I realized that HttpUtility.HtmlDecode cannot convert them to characters as browser did, they all become space.
text = System.Web.HttpUtility.HtmlDecode("€");
I expect it to return â‚¬ but it return space instead. The same thing happen for some other characters as well.
This stems from a recent similiar issue: I have since add edit capabilities.My access db is made up of imported records from recipes. In the memo fields are paragraphs users have typed replete with ingredients listed in succession (1 per line) then a normal paragraph follows. When in editmode(multi line textbox), suddenly in each line ends with <br>. How to fix this? I want to preserve the line breaks od course.
As the title of this post already mentioned, I'm using a modal popup window to edit rows in the gridview. One column in the gridview contains an URL code. When I fire the edit button a popup opens and show the URL in a textbox in this format: [URL]
When I am using the Server.HTMLDecode function, the modal popup doesn't close anymore.
I am using the following code:
The funny thing is, when I change it to: txtURL.Text = row.Cells.Text; then I can close the modal popup, but unfortunately it is not decoded.
I am using a nested repeater to display users popsts and replies to the posts. The posts can be two different types, just a comment, or a comment with statistics. To display the stats column, I am building the data in the SQL like:
This displays Ride Time as HH:MM. I am bolding the header (RT) with the <strong> embedded in theSQL. If I bind the result into a gridview, where I can turn the HTML Encode property = false, the RT is bolded. Is there a way to accomplish this in a repeater?
I need to scrub data for malicious content in a form (whose website is UTF-8 encoded) so I'm doing the following:
Is there a way to skip those characters from being encoded, like some sort of range?
For protect against XSS we should make all input from textboxes thoht Server.Htmlencode function.
1) If i let a input go thorgh Server.Htmlencode and save it in database. But what happen if i letter show this input data from database on browerser ...if database input data have <script> it will then make Xss!!!!.
2) I use Server.Htmlencode.. and the user write <b>ss<b>... (label.text = userinput.text;) and i WANT to show ss in browser. What shuld i do for make this happen ??
I'm trying to mock Server.HtmlEncode(), but I keep having a null reference exception.I'm pretty new to the Moq framework, here is my code:
var context = new Mock<HttpContextBase>(); var request = new Mock<HttpRequestBase>(); var response = new Mock<HttpResponseBase>(); var session = new Mock<HttpSessionStateBase>(); var server = new Mock<HttpServerUtilityBase>(); server.Setup(svr => svr.HtmlEncode(It.IsAny<string>())).Returns((string s) => s); context.Setup(ctx => ctx.Request).Returns(request.Object); context.Setup(ctx => ctx.Response).Returns(response.Object); context.Setup(ctx => ctx.Session).Returns(session.Object); context.Setup(ctx => ctx.Server).Returns(server.Object);
We are using gridview to display data and detailsview to show details, update, insert, and delete as needed. I am a bit confused on whether or not htmlencode and htmldecode is needed when storing data from detailsview. Gridviews always use boundfields and I think encoding and decoding is built in. For detailsview we use mostly templatefields (eval(), bind()), some boundfields, and some data is stored in codebehind using e.values or e.newvalues.Here is where I've got the idea:http://msdn.microsoft.com/en-us/library/system.web.ui.webcontrols.detailsview.itemupdated.aspxIf I use the iteration and htmlencode, detailsview read only mode displays decoded data. However, gridview displays encoded data and of course update mode of detailsview. So, it seems like detailsview using htmlencode and htmldecode somewhat, but I am not clear as to what degree and what would be the best way to handle it.
I have a form that I have been getting submissions that have punctuation and special characters that trigger the potentially dangerous Request.Form value error. I have been trying use the httpUtility.htmlencode and Server.htmlencode method to sanitize textboxes and textareas.All my tests do not fire because the built-in request validation of the 4.0 framework prevents the code-behind from executing to perform the sanitization. I have included the ValidateRequest in the page header but no matter what I set it too it still does the same thing.