Cross-Site Scripting & sqlDataReader

[vineetbatta]

I am using sqlDataReader for Showing data from the Data base.
But if the Data from sql is having tags like <script>alert()</script> then it shows an alert box while binding.

Is there any way of suppressing it this ..... ???? or is it a flaw?

regards
Vineet Batta

 

[Ken Schaefer]

Use HTMLEncode() when outputting the data.

It replaces things like < with &lt; etc. It is not a bug - you are using
reserved characters in your text, and you need to replace those reserved
characters with the appropriate HTML Entities that are defined in the HTML
specifications. HTMLEncode() does this for you.

Cheers
Ken

: I am using sqlDataReader for Showing data from the Data base.
: But if the Data from sql is having tags like <script>alert()</script> then
it shows an alert box while binding.
:
: Is there any way of suppressing it this ..... ???? or is it a flaw?
:
: regards
: Vineet Batta
:

 

[avnrao]

use HttpServerUtility.UrlEncode while binding.

Av.

 

[Ken Schaefer]

You mean HTMLEncode()?

URLEncode() is for formatting text to be placed into a URL (eg as part of a
querystring)

Cheers
Ken

: use HttpServerUtility.UrlEncode while binding.
:
: Av.
: : >I am using sqlDataReader for Showing data from the Data base.
: > But if the Data from sql is having tags like <script>alert()</script>
then
: > it shows an alert box while binding.
: >
: > Is there any way of suppressing it this ..... ???? or is it a flaw?
: >
: > regards
: > Vineet Batta
: >
:
:

 

[avnrao]

thats true. its HTMLEncode().

Av.