Ricardo Treithamer.com
|
| Posted: 07/08/2003, 7:23 AM |
|
Hi everyone.
I'm trying out CC Studio, and I really like it, it's very porweful and blah,
blah, blah, congrats everyone up there.
I'm developing a Content Management System for an online newspaper, so I
need to include HTML tags in every article, and when I try to insert some
HTML tags, I get the .Net framework error:
A potentially dangerous Request.Form value was detected from the client
(articlesarticle_desc="<font color="navy"><...").
Description: Request Validation has detected a potentially dangerous client
input value, and processing of the request has been aborted. This value may
indicate an attempt to compromise the security of your application, such as
a cross-site scripting attack. You can disable request validation by setting
validateRequest=false in the Page directive or in the configuration section.
However, it is strongly recommended that your application explicitly check
all inputs in this case.
1) Where do I set the Page directive using CCS?
2) Is there a way to make all the forms input fields sql safe?
http://www.devarticles.com/art/1/138/4
3) How do I implement asp.net custom webcontrols with CCS?
Thanks,
Ricardo Treithamer,
Internet Consultant,
Treithamer.com
|
|
|
 |
DonB
|
| Posted: 07/08/2003, 11:35 AM |
|
I am puzzled what the heck it thinks is dangerous about a <font> tag...
The direct solution might be to run the text through Server.HtmlEncode:
strSafeHtml Server.HTMLencode(strUnsafeHtml)
and encode the delimiters it contains.
But the indirect solution may lie with existing work, such as
http://sourceforge.net/projects/phpwebsite/ which is very nice - just not
..NET, which may be a problem for you.
DonB
"Ricardo Treithamer.com" <ricardo@treithamer.com> wrote in message
news:beek5p$q5g$1@news.codecharge.com...
> Hi everyone.
>
> I'm trying out CC Studio, and I really like it, it's very porweful and
blah,
> blah, blah, congrats everyone up there.
>
> I'm developing a Content Management System for an online newspaper, so I
> need to include HTML tags in every article, and when I try to insert some
> HTML tags, I get the .Net framework error:
>
> A potentially dangerous Request.Form value was detected from the client
> (articlesarticle_desc="<font color="navy"><...").
>
> Description: Request Validation has detected a potentially dangerous
client
> input value, and processing of the request has been aborted. This value
may
> indicate an attempt to compromise the security of your application, such
as
> a cross-site scripting attack. You can disable request validation by
setting
> validateRequest=false in the Page directive or in the configuration
section.
> However, it is strongly recommended that your application explicitly check
> all inputs in this case.
>
> 1) Where do I set the Page directive using CCS?
> 2) Is there a way to make all the forms input fields sql safe?
> http://www.devarticles.com/art/1/138/4
> 3) How do I implement asp.net custom webcontrols with CCS?
>
> Thanks,
>
> Ricardo Treithamer,
> Internet Consultant,
> Treithamer.com
>
>
|
|
|
|
Ricardo Treithamer.com
|
| Posted: 07/08/2003, 1:18 PM |
|
It's a very common error when you use the .Net framework v1.1.X.
Using the Server.HTMLencode didn't fix this problem.
So I solved this 'issue' called "SQL Injection" in VS.net
1) adding some code to the web.config file -- customErrors off --
2) adding validateRequest=false to the page directive in top of the aspx
webform.
3) replacing the single characters:
private string SafeSqlLikeClauseLiteral(string inputSQL)
{
// Make the following replacements:
// ' becomes ''
// [ becomes [[]
// % becomes [%]
// _ becomes [_]
string s = inputSQL;
s = inputSQL.Replace("'", "''");
s = s.Replace("[", "[[]");
s = s.Replace("%", "[%]");
s = s.Replace("_", "[_]");
return s;
}
References:
Building Secure ASP.NET Applications: Authentication, Authorization, and
Secure Communication
http://msdn.microsoft.com/netframework/default.aspx?pul...rary/en-us/dnne
tsec/html/SecNetch12.asp
SQL injection
http://www.securiteam.com/securityreviews/5DP0N1P76E.html
Ricardo Treithamer,
Internet Consultant,
Treithamer.com
"DonB" <7432D63DBB01D03A196B1EDD80E8@comcast.net> wrote in message
news:bef2to$e9h$1@news.codecharge.com...
> I am puzzled what the heck it thinks is dangerous about a <font> tag...
>
> The direct solution might be to run the text through Server.HtmlEncode:
>
> strSafeHtml Server.HTMLencode(strUnsafeHtml)
>
> and encode the delimiters it contains.
>
> But the indirect solution may lie with existing work, such as
> http://sourceforge.net/projects/phpwebsite/ which is very nice - just not
> .NET, which may be a problem for you.
>
> DonB
>
>
>
> "Ricardo Treithamer.com" <ricardo@treithamer.com> wrote in message
>news:beek5p$q5g$1@news.codecharge.com...
> > Hi everyone.
> >
> > I'm trying out CC Studio, and I really like it, it's very porweful and
> blah,
> > blah, blah, congrats everyone up there.
> >
> > I'm developing a Content Management System for an online newspaper, so I
> > need to include HTML tags in every article, and when I try to insert
some
> > HTML tags, I get the .Net framework error:
> >
> > A potentially dangerous Request.Form value was detected from the client
> > (articlesarticle_desc="<font color="navy"><...").
> >
> > Description: Request Validation has detected a potentially dangerous
> client
> > input value, and processing of the request has been aborted. This value
> may
> > indicate an attempt to compromise the security of your application, such
> as
> > a cross-site scripting attack. You can disable request validation by
> setting
> > validateRequest=false in the Page directive or in the configuration
> section.
> > However, it is strongly recommended that your application explicitly
check
> > all inputs in this case.
> >
> > 1) Where do I set the Page directive using CCS?
> > 2) Is there a way to make all the forms input fields sql safe?
> > http://www.devarticles.com/art/1/138/4
> > 3) How do I implement asp.net custom webcontrols with CCS?
> >
> > Thanks,
> >
> > Ricardo Treithamer,
> > Internet Consultant,
> > Treithamer.com
> >
> >
>
>
|
|
|
|
|
