Cross-Site Scripting & sqlDataReader

Discussion in 'ASP .Net Security' started by vineetbatta, May 11, 2004.

  1. vineetbatta

    vineetbatta Guest

    I am using sqlDataReader for Showing data from the Data base.
    But if the Data from sql is having tags like <script>alert()</script> then it shows an alert box while binding.

    Is there any way of suppressing it this ..... ???? or is it a flaw?

    regards
    Vineet Batta
    vineetbatta, May 11, 2004
    #1
    1. Advertising

  2. vineetbatta

    Ken Schaefer Guest

    Use HTMLEncode() when outputting the data.

    It replaces things like < with &lt; etc. It is not a bug - you are using
    reserved characters in your text, and you need to replace those reserved
    characters with the appropriate HTML Entities that are defined in the HTML
    specifications. HTMLEncode() does this for you.

    Cheers
    Ken

    "vineetbatta" <> wrote in message
    news:...
    : I am using sqlDataReader for Showing data from the Data base.
    : But if the Data from sql is having tags like <script>alert()</script> then
    it shows an alert box while binding.
    :
    : Is there any way of suppressing it this ..... ???? or is it a flaw?
    :
    : regards
    : Vineet Batta
    :
    Ken Schaefer, May 11, 2004
    #2
    1. Advertising

  3. vineetbatta

    avnrao Guest

    use HttpServerUtility.UrlEncode while binding.

    Av.
    "vineetbatta" <> wrote in message
    news:...
    >I am using sqlDataReader for Showing data from the Data base.
    > But if the Data from sql is having tags like <script>alert()</script> then
    > it shows an alert box while binding.
    >
    > Is there any way of suppressing it this ..... ???? or is it a flaw?
    >
    > regards
    > Vineet Batta
    >
    avnrao, May 11, 2004
    #3
  4. vineetbatta

    Ken Schaefer Guest

    You mean HTMLEncode()?

    URLEncode() is for formatting text to be placed into a URL (eg as part of a
    querystring)

    Cheers
    Ken

    "avnrao" <> wrote in message
    news:eI$...
    : use HttpServerUtility.UrlEncode while binding.
    :
    : Av.
    : "vineetbatta" <> wrote in message
    : news:...
    : >I am using sqlDataReader for Showing data from the Data base.
    : > But if the Data from sql is having tags like <script>alert()</script>
    then
    : > it shows an alert box while binding.
    : >
    : > Is there any way of suppressing it this ..... ???? or is it a flaw?
    : >
    : > regards
    : > Vineet Batta
    : >
    :
    :
    Ken Schaefer, May 11, 2004
    #4
  5. vineetbatta

    avnrao Guest

    thats true. its HTMLEncode().

    Av.

    "Ken Schaefer" <> wrote in message
    news:...
    > You mean HTMLEncode()?
    >
    > URLEncode() is for formatting text to be placed into a URL (eg as part of
    > a
    > querystring)
    >
    > Cheers
    > Ken
    >
    > "avnrao" <> wrote in message
    > news:eI$...
    > : use HttpServerUtility.UrlEncode while binding.
    > :
    > : Av.
    > : "vineetbatta" <> wrote in message
    > : news:...
    > : >I am using sqlDataReader for Showing data from the Data base.
    > : > But if the Data from sql is having tags like <script>alert()</script>
    > then
    > : > it shows an alert box while binding.
    > : >
    > : > Is there any way of suppressing it this ..... ???? or is it a flaw?
    > : >
    > : > regards
    > : > Vineet Batta
    > : >
    > :
    > :
    >
    >
    avnrao, May 11, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Scott M.

    Cross-Site Scripting...

    Scott M., Dec 22, 2003, in forum: ASP .Net
    Replies:
    7
    Views:
    3,390
    Steven Cheng[MSFT]
    Dec 24, 2003
  2. Earl Teigrob
    Replies:
    0
    Views:
    544
    Earl Teigrob
    Feb 18, 2004
  3. =?Utf-8?B?QnJhZCBRdWlubg==?=

    Cross site scripting

    =?Utf-8?B?QnJhZCBRdWlubg==?=, Apr 27, 2005, in forum: ASP .Net
    Replies:
    1
    Views:
    432
    Brock Allen
    Apr 28, 2005
  4. Replies:
    3
    Views:
    804
  5. Qaurk Noble

    Preventing Cross Site Scripting

    Qaurk Noble, Dec 11, 2003, in forum: Java
    Replies:
    0
    Views:
    410
    Qaurk Noble
    Dec 11, 2003
Loading...

Share This Page