Displaying User-Supplied String

[Jonathan Wood]

Okay, I have a site that displays information based on user input, a couple
of the items are plain strings that the user entered.

I understand the risk here is that they could insert javascript or whatever
in their string and, when my page displays it, that script could be
executed.

What is the best approach for preventing that?

Thanks.

Jonathan

 

[Mark Rae [MVP]]

Okay, I have a site that displays information based on user input, a
couple of the items are plain strings that the user entered.

I understand the risk here is that they could insert javascript or
whatever in their string and, when my page displays it, that script could
be executed.

What is the best approach for preventing that?

Are you talking about SQL Injection i.e. the strings supplied by the users
are used to look up records in a database?

If so, you need to use parameterised queries or stored procedures.

Google "SQL injection"

 

[Jesse Houwing]

Hello Mark Rae [MVP],

Are you talking about SQL Injection i.e. the strings supplied by the
users are used to look up records in a database?

If so, you need to use parameterised queries or stored procedures.

Google "SQL injection"

There's more than SQL injection at work here. apart from SQL injection there
is the risk of cross site scripting as the original poster correctly identified.
Best way to prevent that is to call Server.HTMLEncode on each field before
displaying it. I usually don't encode the data before putting it into the
database as the data migth be used in a non-web environment as well (reporting,
windows client etc).

So encode before displaying.

 

[Jonathan Wood]

Right. I tested it by surrounding my input with <b> and </b>. To my
surprise, it causes an unhandled exception: A potentially dangerous
Request.Form value was detected from the client
(ctl00$ContentPlaceHolder1$description="<b>Property1</b>").

Not sure yet where the error is being thrown from exactly, but I'm looking
into it.

Jonathan

 

[Jesse Houwing]

Hello Jonathan,

Right. I tested it by surrounding my input with <b> and </b>. To my
surprise, it causes an unhandled exception: A potentially dangerous
Request.Form value was detected from the client
(ctl00$ContentPlaceHolder1$description="<b>Property1</b>").

Not sure yet where the error is being thrown from exactly, but I'm
looking into it.

By default any input containing either a piece of javascript code or a html
tag will be rejected by ASP.NET from versin 1.1 and higher.

You can switch this automatic validation off from the web.config or the page
directive of teh aspx file in question:

http://www.cryer.co.uk/brian/mswinswdev/ms_vbnet_server_error_potentially_dangerous.htm

Jesse

 

[Mark Rae [MVP]]

Right. I tested it by surrounding my input with <b> and </b>. To my
surprise, it causes an unhandled exception: A potentially dangerous
Request.Form value was detected from the client
(ctl00$ContentPlaceHolder1$description="<b>Property1</b>").

Yes, that is ASP.NET's standard response to this sort of thing... By
default, it considers posting of HTML as *potentially* dangerous, as Jesse
correctly explained...

You have several options here, depending on what you're trying to do...

Can you explain a bit more about what is and, more importantly, what is not
valid data in this case...

 

[Steve C. Orr [MCSD, MVP, CSM, ASP Insider]]

I recommend you use Microsoft's free Anti Cross Site Scripting Library:
http://msdn2.microsoft.com/en-us/security/aa973814.aspx

 

[Jonathan Wood]

Mark,

Yes, that is ASP.NET's standard response to this sort of thing... By
default, it considers posting of HTML as *potentially* dangerous, as Jesse
correctly explained...

You have several options here, depending on what you're trying to do...

Can you explain a bit more about what is and, more importantly, what is
not valid data in this case...

It's a very simple site (http://www.rentalprofitcalc.com). Visitors enter
several data fields. I then do a postback to a different page. That other
page examines the fields, performs calculations on some of them, and creates
a report. Some fields, such as the property and loan names, are simply
strings that are displayed as is (there is no invalid value).

My background is native programming. Here, the error seems to occur when the
first page is submitted which doesn't involve any of my code. So I'm not
sure how I'm supposed to trap it.

BTW, I tried the same thing (<b> and </b> in the property Description field)
when the app is running online and it still causes an error but does not
display the details.

Thanks.

Jonathan

 

[Jonathan Wood]

Yup. I definitely want to do 2. but just wasn't get that far.

Thanks.

Jonathan

 

[Mark Rae [MVP]]

It's a very simple site (http://www.rentalprofitcalc.com). Visitors enter
several data fields. I then do a postback to a different page.

Any particular reason that you postback to a different page, AAMOI...?

That other page examines the fields, performs calculations on some of
them, and creates a report. Some fields, such as the property and loan
names, are simply strings that are displayed as is (there is no invalid
value).

There doesn't appear to be any validation at all - e.g. it's possible to
enter "Hello" in the purchase price... My advice would be to fix that
first...

BTW, I tried the same thing (<b> and </b> in the property Description
field) when the app is running online and it still causes an error but
does not display the details.

Obviously the absolute last thing you want to do in a live site is actually
display an error to the user... Instead, capture the error with proper
exception handling, email yourself the error and all its metadata, redirect
the user to a friendly page where you apologise that something has gone
wrong and, depending on what the error actually was, advise them how to
proceed...