HTML Tags and Potentially Dangerous Characters

Discussion in 'ASP .Net Security' started by Fred, Jan 15, 2009.

  1. Fred

    Fred Guest

    I appreciate the potential danger vis-a-vis Cross-Site Scripting in allowing
    user input to get to a Response.Write.

    Suppose, however, that user input is assigned ONLY to the innerText
    attribute of a textarea artifact. If this were the case, would there be any
    potential of mischief?

    (The reason I'm asking is that I want to allow user input to include
    characters that are potentially dangerous ('<', '>', '#', etc.).

    Thanks, in advance.
     
    Fred, Jan 15, 2009
    #1
    1. Advertisements

  2. This depends on how you would use that text later. Assume you would
    display it on another page. So, type "<script>alert('hi')</script>,
    save an see what happens. If you don't validated or encoded it, you
    will see what people called "cross-site scripting (XSS) attack".

    See more details here http://tldp.org/HOWTO/Secure-Programs-HOWTO/cross-site-malicious-content.html
    or google for "ASP.NET XSS"

    Hope this helps.
     
    Alexey Smirnov, Jan 16, 2009
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.