V
ViperDK \(Daniel K.\)
scenario: users can store data (guestbook entries, ther usernames and so on)
on a database-driven website and i have to care about that they don't insert
(aggressive) javascripts or html tags that destroy my layout. but it's not
an option to deny characters like ', " or < at all.
one option i got suggested is to make all the input to valid html output (Do
a HtmlEncode) before i store it in the database but i think that is not that
great because its to limited and bad design. if i make an winform
application or something else that is not web-based i'd have to handle and
undo all the html stuff that is only useful for html pages.
the two right solutions for this that i think of is to code controls like
Repeater with an property like "UseRawHtmlData" and let it automatically
HtmlEncode all output unless it is set for RawHtmlData. That would be a
safe design i think but it has the disadvantage that ms didn't do it and i'd
have to make many modified controls that do.
the other solution i think of is to code an SqlDataReader and a
SqlDataAdapter that also automatically HtmlEncode all text data.
I think the second way makes more sense - i would only have to use that
modified sql classes and i would not have to touch the data-webcontrols like
repeater, datagrid and so on.
does anyone have such classes to use instead of the normal Sql classes or is
there a better alternative to solve that problem. to HtmlEncode every field
manually like i do now seems to be the worst answer since it makes much work
and is error prone.
on a database-driven website and i have to care about that they don't insert
(aggressive) javascripts or html tags that destroy my layout. but it's not
an option to deny characters like ', " or < at all.
one option i got suggested is to make all the input to valid html output (Do
a HtmlEncode) before i store it in the database but i think that is not that
great because its to limited and bad design. if i make an winform
application or something else that is not web-based i'd have to handle and
undo all the html stuff that is only useful for html pages.
the two right solutions for this that i think of is to code controls like
Repeater with an property like "UseRawHtmlData" and let it automatically
HtmlEncode all output unless it is set for RawHtmlData. That would be a
safe design i think but it has the disadvantage that ms didn't do it and i'd
have to make many modified controls that do.
the other solution i think of is to code an SqlDataReader and a
SqlDataAdapter that also automatically HtmlEncode all text data.
I think the second way makes more sense - i would only have to use that
modified sql classes and i would not have to touch the data-webcontrols like
repeater, datagrid and so on.
does anyone have such classes to use instead of the normal Sql classes or is
there a better alternative to solve that problem. to HtmlEncode every field
manually like i do now seems to be the worst answer since it makes much work
and is error prone.