Secure Database-Driven output to Web-Controls like Repeater

Discussion in 'ASP .Net Web Controls' started by ViperDK \(Daniel K.\), Aug 13, 2003.

  1. scenario: users can store data (guestbook entries, ther usernames and so on)
    on a database-driven website and i have to care about that they don't insert
    (aggressive) javascripts or html tags that destroy my layout. but it's not
    an option to deny characters like ', " or < at all.

    one option i got suggested is to make all the input to valid html output (Do
    a HtmlEncode) before i store it in the database but i think that is not that
    great because its to limited and bad design. if i make an winform
    application or something else that is not web-based i'd have to handle and
    undo all the html stuff that is only useful for html pages.

    the two right solutions for this that i think of is to code controls like
    Repeater with an property like "UseRawHtmlData" and let it automatically
    HtmlEncode all output unless it is set for RawHtmlData. That would be a
    safe design i think but it has the disadvantage that ms didn't do it and i'd
    have to make many modified controls that do.
    the other solution i think of is to code an SqlDataReader and a
    SqlDataAdapter that also automatically HtmlEncode all text data.

    I think the second way makes more sense - i would only have to use that
    modified sql classes and i would not have to touch the data-webcontrols like
    repeater, datagrid and so on.

    does anyone have such classes to use instead of the normal Sql classes or is
    there a better alternative to solve that problem. to HtmlEncode every field
    manually like i do now seems to be the worst answer since it makes much work
    and is error prone.
    ViperDK \(Daniel K.\), Aug 13, 2003
    #1
    1. Advertising

  2. ViperDK \(Daniel K.\)

    Eric Newton Guest

    Well, before I can offer a solution I need a few pointers:

    - are you intending to store the actual html in the database?
    - you said you dont care about JS/HTML that can destroy layout, which makes
    things easier

    unless I'm mistaken I dont believe the "BoundColumns" in DataGrids change
    the valid HTML to be Encoded HTML,
    and since the repeater utilizes templates, then you are in better control.

    In your repeater template, are you using "<asp:label runat=server text='<%#
    DataBinder.Eval... %>'>"? if so then the Text property is automatically HTML
    encoded, trying changing to using the HtmlControls, specifically the
    HtmlGenericControl and setting the InnerHtml property, whereas this property
    takes a string and outputs it verbatim.

    HTH


    --
    Eric Newton

    C#/ASP.net Solutions developer

    "ViperDK (Daniel K.)" <> wrote in message
    news:bhdkh4$ffo$04$-online.com...
    > scenario: users can store data (guestbook entries, ther usernames and so

    on)
    > on a database-driven website and i have to care about that they don't

    insert
    > (aggressive) javascripts or html tags that destroy my layout. but it's not
    > an option to deny characters like ', " or < at all.
    >
    > one option i got suggested is to make all the input to valid html output

    (Do
    > a HtmlEncode) before i store it in the database but i think that is not

    that
    > great because its to limited and bad design. if i make an winform
    > application or something else that is not web-based i'd have to handle and
    > undo all the html stuff that is only useful for html pages.
    >
    > the two right solutions for this that i think of is to code controls like
    > Repeater with an property like "UseRawHtmlData" and let it automatically
    > HtmlEncode all output unless it is set for RawHtmlData. That would be a
    > safe design i think but it has the disadvantage that ms didn't do it and

    i'd
    > have to make many modified controls that do.
    > the other solution i think of is to code an SqlDataReader and a
    > SqlDataAdapter that also automatically HtmlEncode all text data.
    >
    > I think the second way makes more sense - i would only have to use that
    > modified sql classes and i would not have to touch the data-webcontrols

    like
    > repeater, datagrid and so on.
    >
    > does anyone have such classes to use instead of the normal Sql classes or

    is
    > there a better alternative to solve that problem. to HtmlEncode every

    field
    > manually like i do now seems to be the worst answer since it makes much

    work
    > and is error prone.
    >
    >
    Eric Newton, Aug 15, 2003
    #2
    1. Advertising

  3. no i want to store all data as it is. if someone writes stuff like "i like
    <i> tags" it should get 1:1 into the database and i want an easy way to
    verify in the output that it does get encoded.

    i usually use DataGrids with BoundColumns like
    <asp:BoundColumn DataField="Comment" HeaderText="Comment"></asp:BoundColumn>

    and yes i saw that the HtmlGenericControl has a property for the encodet and
    the raw content. i wonder why the the TextBox WebControl hasn't that
    functionality. thought they should be first choice.

    "Eric Newton" <> wrote in message
    news:#...
    > Well, before I can offer a solution I need a few pointers:
    >
    > - are you intending to store the actual html in the database?
    > - you said you dont care about JS/HTML that can destroy layout, which

    makes
    > things easier
    >
    > unless I'm mistaken I dont believe the "BoundColumns" in DataGrids change
    > the valid HTML to be Encoded HTML,
    > and since the repeater utilizes templates, then you are in better control.
    >
    > In your repeater template, are you using "<asp:label runat=server

    text='<%#
    > DataBinder.Eval... %>'>"? if so then the Text property is automatically

    HTML
    > encoded, trying changing to using the HtmlControls, specifically the
    > HtmlGenericControl and setting the InnerHtml property, whereas this

    property
    > takes a string and outputs it verbatim.
    >
    > HTH
    >
    >
    > --
    > Eric Newton
    >
    > C#/ASP.net Solutions developer
    ViperDK \(Daniel K.\), Aug 16, 2003
    #3
  4. ViperDK \(Daniel K.\)

    Eric Newton Guest

    Yeah, I guess the textboxes were designed from the start to be HTML proper,
    ie, if they have HTML in their text property then its HTMLEncoded so that
    what is in the text is exactly what you see...

    I would guess it'll always stay this way, but a simple boolean property
    wouldnt hurt ;-)


    --
    Eric Newton

    C#/ASP.net Solutions developer

    "ViperDK (Daniel K.)" <> wrote in message
    news:bhk2bl$hge$01$-online.com...
    > no i want to store all data as it is. if someone writes stuff like "i like
    > <i> tags" it should get 1:1 into the database and i want an easy way to
    > verify in the output that it does get encoded.
    >
    > i usually use DataGrids with BoundColumns like
    > <asp:BoundColumn DataField="Comment"

    HeaderText="Comment"></asp:BoundColumn>
    >
    > and yes i saw that the HtmlGenericControl has a property for the encodet

    and
    > the raw content. i wonder why the the TextBox WebControl hasn't that
    > functionality. thought they should be first choice.
    >
    > "Eric Newton" <> wrote in message
    > news:#...
    > > Well, before I can offer a solution I need a few pointers:
    > >
    > > - are you intending to store the actual html in the database?
    > > - you said you dont care about JS/HTML that can destroy layout, which

    > makes
    > > things easier
    > >
    > > unless I'm mistaken I dont believe the "BoundColumns" in DataGrids

    change
    > > the valid HTML to be Encoded HTML,
    > > and since the repeater utilizes templates, then you are in better

    control.
    > >
    > > In your repeater template, are you using "<asp:label runat=server

    > text='<%#
    > > DataBinder.Eval... %>'>"? if so then the Text property is automatically

    > HTML
    > > encoded, trying changing to using the HtmlControls, specifically the
    > > HtmlGenericControl and setting the InnerHtml property, whereas this

    > property
    > > takes a string and outputs it verbatim.
    > >
    > > HTH
    > >
    > >
    > > --
    > > Eric Newton
    > >
    > > C#/ASP.net Solutions developer

    >
    >
    >
    Eric Newton, Aug 22, 2003
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?dmlrdG9yOTk5MA==?=

    cost estimate for a database-driven web site

    =?Utf-8?B?dmlrdG9yOTk5MA==?=, Jun 5, 2005, in forum: ASP .Net
    Replies:
    0
    Views:
    349
    =?Utf-8?B?dmlrdG9yOTk5MA==?=
    Jun 5, 2005
  2. =?Utf-8?B?dmlrdG9yOTk5MA==?=

    cost estimate for a database-driven web site

    =?Utf-8?B?dmlrdG9yOTk5MA==?=, Jun 5, 2005, in forum: ASP .Net
    Replies:
    0
    Views:
    363
    =?Utf-8?B?dmlrdG9yOTk5MA==?=
    Jun 5, 2005
  3. =?Utf-8?B?QmVuIEZpZGdl?=

    Page output caching for database driven pages?

    =?Utf-8?B?QmVuIEZpZGdl?=, Jan 17, 2006, in forum: ASP .Net
    Replies:
    1
    Views:
    364
    =?Utf-8?B?UGV0ZXIgQnJvbWJlcmcgW0MjIE1WUF0=?=
    Jan 17, 2006
  4. Maru, Mulugeta

    Python Database Driven Web Development

    Maru, Mulugeta, Mar 4, 2004, in forum: Python
    Replies:
    3
    Views:
    394
    Lothar Scholz
    Mar 6, 2004
  5. ViperDK \(Daniel K.\)

    Secure Database-Driven output to Web-Controls like Repeater

    ViperDK \(Daniel K.\), Aug 13, 2003, in forum: ASP .Net Security
    Replies:
    3
    Views:
    134
    Eric Newton
    Aug 22, 2003
Loading...

Share This Page