Okay, I have a site that displays information based on user input, a couple
of the items are plain strings that the user entered.

I understand the risk here is that they could insert javascript or whatever
in their string and, when my page displays it, that script could be
executed.

What is the best approach for preventing that?

Thanks.

Jonathan

"Jonathan Wood" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...

> Okay, I have a site that displays information based on user input, a
> couple of the items are plain strings that the user entered.
>
> I understand the risk here is that they could insert javascript or
> whatever in their string and, when my page displays it, that script could
> be executed.
>
> What is the best approach for preventing that?

Are you talking about SQL Injection i.e. the strings supplied by the users
are used to look up records in a database?

If so, you need to use parameterised queries or stored procedures.

Google "SQL injection"


--
Mark Rae
ASP.NET MVP
http://www.markrae.net

Hello Mark Rae [MVP],

> "Jonathan Wood" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>
>> Okay, I have a site that displays information based on user input, a
>> couple of the items are plain strings that the user entered.
>>
>> I understand the risk here is that they could insert javascript or
>> whatever in their string and, when my page displays it, that script
>> could be executed.
>>
>> What is the best approach for preventing that?
>>
> Are you talking about SQL Injection i.e. the strings supplied by the
> users are used to look up records in a database?
>
> If so, you need to use parameterised queries or stored procedures.
>
> Google "SQL injection"

There's more than SQL injection at work here. apart from SQL injection there
is the risk of cross site scripting as the original poster correctly identified.
Best way to prevent that is to call Server.HTMLEncode on each field before
displaying it. I usually don't encode the data before putting it into the
database as the data migth be used in a non-web environment as well (reporting,
windows client etc).

So encode before displaying.

--
Jesse Houwing
jesse.houwing at sogeti.nl

Right. I tested it by surrounding my input with <b> and </b>. To my
surprise, it causes an unhandled exception: A potentially dangerous
Request.Form value was detected from the client
(ctl00$ContentPlaceHolder1$description="<b>Property1</b>").

Not sure yet where the error is being thrown from exactly, but I'm looking
into it.

Jonathan

"Jesse Houwing" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hello Mark Rae [MVP],
>
>> "Jonathan Wood" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>
>>> Okay, I have a site that displays information based on user input, a
>>> couple of the items are plain strings that the user entered.
>>>
>>> I understand the risk here is that they could insert javascript or
>>> whatever in their string and, when my page displays it, that script
>>> could be executed.
>>>
>>> What is the best approach for preventing that?
>>>
>> Are you talking about SQL Injection i.e. the strings supplied by the
>> users are used to look up records in a database?
>>
>> If so, you need to use parameterised queries or stored procedures.
>>
>> Google "SQL injection"
>
> There's more than SQL injection at work here. apart from SQL injection
> there is the risk of cross site scripting as the original poster correctly
> identified. Best way to prevent that is to call Server.HTMLEncode on each
> field before displaying it. I usually don't encode the data before putting
> it into the database as the data migth be used in a non-web environment as
> well (reporting, windows client etc).
>
> So encode before displaying.
>
> --
> Jesse Houwing
> jesse.houwing at sogeti.nl
>
>

Hello Jonathan,

> Right. I tested it by surrounding my input with <b> and </b>. To my
> surprise, it causes an unhandled exception: A potentially dangerous
> Request.Form value was detected from the client
> (ctl00$ContentPlaceHolder1$description="<b>Property1</b>").
>
> Not sure yet where the error is being thrown from exactly, but I'm
> looking into it.

By default any input containing either a piece of javascript code or a html
tag will be rejected by ASP.NET from versin 1.1 and higher.

You can switch this automatic validation off from the web.config or the page
directive of teh aspx file in question:

http://www.cryer.co.uk/brian/mswinsw..._dangerous.htm

Jesse

> "Jesse Houwing" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>
>> Hello Mark Rae [MVP],
>>
>>> "Jonathan Wood" <(E-Mail Removed)> wrote in message
>>> news:(E-Mail Removed)...
>>>
>>>> Okay, I have a site that displays information based on user input,
>>>> a couple of the items are plain strings that the user entered.
>>>>
>>>> I understand the risk here is that they could insert javascript or
>>>> whatever in their string and, when my page displays it, that script
>>>> could be executed.
>>>>
>>>> What is the best approach for preventing that?
>>>>
>>> Are you talking about SQL Injection i.e. the strings supplied by the
>>> users are used to look up records in a database?
>>>
>>> If so, you need to use parameterised queries or stored procedures.
>>>
>>> Google "SQL injection"
>>>
>> There's more than SQL injection at work here. apart from SQL
>> injection there is the risk of cross site scripting as the original
>> poster correctly identified. Best way to prevent that is to call
>> Server.HTMLEncode on each field before displaying it. I usually don't
>> encode the data before putting it into the database as the data migth
>> be used in a non-web environment as well (reporting, windows client
>> etc).
>>
>> So encode before displaying.
>>
>> --
>> Jesse Houwing
>> jesse.houwing at sogeti.nl
--
Jesse Houwing
jesse.houwing at sogeti.nl

"Jonathan Wood" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...

> Right. I tested it by surrounding my input with <b> and </b>. To my
> surprise, it causes an unhandled exception: A potentially dangerous
> Request.Form value was detected from the client
> (ctl00$ContentPlaceHolder1$description="<b>Property1</b>").

Yes, that is ASP.NET's standard response to this sort of thing... By
default, it considers posting of HTML as *potentially* dangerous, as Jesse
correctly explained...

You have several options here, depending on what you're trying to do...

Can you explain a bit more about what is and, more importantly, what is not
valid data in this case...


--
Mark Rae
ASP.NET MVP
http://www.markrae.net

I recommend you use Microsoft's free Anti Cross Site Scripting Library:
http://msdn2.microsoft.com/en-us/security/aa973814.aspx

--
I hope this helps,
Steve C. Orr,
MCSD, MVP, CSM, ASPInsider
http://SteveOrr.net



"Jonathan Wood" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Okay, I have a site that displays information based on user input, a
> couple of the items are plain strings that the user entered.
>
> I understand the risk here is that they could insert javascript or
> whatever in their string and, when my page displays it, that script could
> be executed.
>
> What is the best approach for preventing that?
>
> Thanks.
>
> Jonathan
>

Mark,

>> Right. I tested it by surrounding my input with <b> and </b>. To my
>> surprise, it causes an unhandled exception: A potentially dangerous
>> Request.Form value was detected from the client
>> (ctl00$ContentPlaceHolder1$description="<b>Property1</b>").
>
> Yes, that is ASP.NET's standard response to this sort of thing... By
> default, it considers posting of HTML as *potentially* dangerous, as Jesse
> correctly explained...
>
> You have several options here, depending on what you're trying to do...
>
> Can you explain a bit more about what is and, more importantly, what is
> not valid data in this case...

It's a very simple site (http://www.rentalprofitcalc.com). Visitors enter
several data fields. I then do a postback to a different page. That other
page examines the fields, performs calculations on some of them, and creates
a report. Some fields, such as the property and loan names, are simply
strings that are displayed as is (there is no invalid value).

My background is native programming. Here, the error seems to occur when the
first page is submitted which doesn't involve any of my code. So I'm not
sure how I'm supposed to trap it.

BTW, I tried the same thing (<b> and </b> in the property Description field)
when the app is running online and it still causes an error but does not
display the details.

Thanks.

Jonathan

Yup. I definitely want to do 2. but just wasn't get that far.

Thanks.

Jonathan

"Jesse Houwing" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hello Jonathan,
>
>> Right. I tested it by surrounding my input with <b> and </b>. To my
>> surprise, it causes an unhandled exception: A potentially dangerous
>> Request.Form value was detected from the client
>> (ctl00$ContentPlaceHolder1$description="<b>Property1</b>").
>>
>> Not sure yet where the error is being thrown from exactly, but I'm
>> looking into it.
>
> By default any input containing either a piece of javascript code or a
> html tag will be rejected by ASP.NET from versin 1.1 and higher.
>
> You can switch this automatic validation off from the web.config or the
> page directive of teh aspx file in question:
>
> http://www.cryer.co.uk/brian/mswinsw..._dangerous.htm
>
> Jesse
>
>> "Jesse Houwing" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>
>>> Hello Mark Rae [MVP],
>>>
>>>> "Jonathan Wood" <(E-Mail Removed)> wrote in message
>>>> news:(E-Mail Removed)...
>>>>
>>>>> Okay, I have a site that displays information based on user input,
>>>>> a couple of the items are plain strings that the user entered.
>>>>>
>>>>> I understand the risk here is that they could insert javascript or
>>>>> whatever in their string and, when my page displays it, that script
>>>>> could be executed.
>>>>>
>>>>> What is the best approach for preventing that?
>>>>>
>>>> Are you talking about SQL Injection i.e. the strings supplied by the
>>>> users are used to look up records in a database?
>>>>
>>>> If so, you need to use parameterised queries or stored procedures.
>>>>
>>>> Google "SQL injection"
>>>>
>>> There's more than SQL injection at work here. apart from SQL
>>> injection there is the risk of cross site scripting as the original
>>> poster correctly identified. Best way to prevent that is to call
>>> Server.HTMLEncode on each field before displaying it. I usually don't
>>> encode the data before putting it into the database as the data migth
>>> be used in a non-web environment as well (reporting, windows client
>>> etc).
>>>
>>> So encode before displaying.
>>>
>>> --
>>> Jesse Houwing
>>> jesse.houwing at sogeti.nl
> --
> Jesse Houwing
> jesse.houwing at sogeti.nl
>
>

"Jonathan Wood" <(E-Mail Removed)> wrote in message
news:eYAAG%(E-Mail Removed)...

>> Can you explain a bit more about what is and, more importantly, what is
>> not valid data in this case...
>
> It's a very simple site (http://www.rentalprofitcalc.com). Visitors enter
> several data fields. I then do a postback to a different page.

Any particular reason that you postback to a different page, AAMOI...?

> That other page examines the fields, performs calculations on some of
> them, and creates a report. Some fields, such as the property and loan
> names, are simply strings that are displayed as is (there is no invalid
> value).

There doesn't appear to be any validation at all - e.g. it's possible to
enter "Hello" in the purchase price... My advice would be to fix that
first...

> BTW, I tried the same thing (<b> and </b> in the property Description
> field) when the app is running online and it still causes an error but
> does not display the details.

Obviously the absolute last thing you want to do in a live site is actually
display an error to the user... Instead, capture the error with proper
exception handling, email yourself the error and all its metadata, redirect
the user to a friendly page where you apologise that something has gone
wrong and, depending on what the error actually was, advise them how to
proceed...


--
Mark Rae
ASP.NET MVP
http://www.markrae.net