All geek questions in one place

What is the best practice for handling dangerous characters in asp.net?

What is the best practice for handling dangerous characters in asp.net? see example: asp.net registration form

If you:

  • use javascript to prevent them from entering the text box in 1st place?
  • have a common function that finds and replaces on the server side?

C # 1's problem is to increase page load time.

+4
source share
6 answers

Solution No. 1 will not increase load time.

You should ALWAYS use solution number 2 together with solution number one, as users can disable JavaScript in their browsers.

+2
source

ASP.NET handles potentially dangerous characters for you by default with ASP.NET 2.0. From Request Validation in ASP.NET :

Request validation is a feature in ASP.NET that validates an HTTP request and determines if it contains potentially dangerous content. In this context, potentially dangerous content is any HTML markup or JavaScript code in the body, header, request line or request cookie. ASP.NET performs this check because the markup or code in the query string of the URL, cookies, or published form values ​​may have been added for malicious purposes.

Request validation helps prevent such an attack. If ASP.NET detects any markup or code in the request, it throws a "potentially dangerous value was detected" error and stops page processing.

Perhaps most importantly, this happens on the server; no matter the client accesses your application, they cannot just flip JavaScript to get around it.

+9
source

You accept them as regular characters on the side of the record. When rendering, you encode your output. You must encode it in any case, regardless of security, so that you can display special characters.

+2
source

ALWAYS check the input on the server, this is not even a discussion, just do it!

Checking on the client side is just an eye candy for the user, but the server is where it counts!

0
source

Thinking that

ASP.NET handles potentially dangerous characters for you by default with ASP.NET 2.0. From request validation in ASP.NET:

it looks like a solid door will hold a thief. This is not true. This will only slow him down. You need to know what are the most common vectors and what are the possible solutions. You must understand that every EVERY EVERY variable (field / property) that you write in HTML / CSS / Javascript is a potential attack vector that needs to be sanitized (using the appropriate libraries, for example, some methods in the new MVC.NET or, at least <%: %> for ASP.NET 4.0), no exceptions, every EACH every request you make is a potential attachable vector that needs to be cleaned using the exclusive use of ORM and parameterized queries, no exceptions. Passwords should not be stored in db. And tons of other things like that. It is not very difficult, but laziness, complacency, ignorance will complicate (if not almost impossible). If it’s not you, then imagine a hole , then this is the programmer on the left, or the programmer on your right. There is no hope.

0
source

What is the best practice for handling dangerous characters in asp.net?

I did not watch the screencast you are referring to (questions should be self-contained in any case), but there are no dangerous characters . It all depends on the context. For example, let's take a stack overflow, it allows you to enter Dangerous!'); DROP TABLE Questions-- characters Dangerous!'); DROP TABLE Questions-- Dangerous!'); DROP TABLE Questions-- . Nothing dangerous there.

ASP.NET itself will do everything possible to prevent malicious input at the HTTP level: it will not allow any user to access files like web.config or files outside of your web root.

Once you start doing something with user input, it's up to you. There is not a single silver bullet, not a single rule that would correspond to all of them. If you intend to display user input as HTML, you need to make sure that you enable harmless markup labels without the attributes available to the script. If you allow users to upload images, make sure that only images are uploaded. If you intend to send input to an RDBMS, be sure to avoid characters that make sense for the database manipulation language.

And so on.

0
source

Source: https://habr.com/ru/post/1496164/

More articles:


All Articles