considering issues csrf, xss, sql injection...
site: asp.net, sql server 2012
i'm reading old page ms: https://msdn.microsoft.com/en-us/library/ff649310.aspx#paght000004_step4
if have parametrized query, , 1 of fields holding html, simple replace on tags trick?
for example, user can type wysiwyg textarea, make things bold, or create bullets, etc.
i want able display results select query, if htmlencoded it, it'll have htmldecoded.
what udf cycles through list of scenarios? i'm curious best way deal seemingly sneaky ones mentioned on page:
quote:
an attacker can use html attributes such src, lowsrc, style, , href in conjunction preceding tags inject cross-site scripting. example, src attribute of tag can source of injection, shown in following examples.
<img src="javascript:alert('hello');"> <img src="java
script:alert('hello');"> <img src="java
script:alert('hello');"> an attacker can use <style> tag inject script changing mime type shown in following.
<style type="text/javascript"> alert('hello'); </style> so 2 questions:
- best way deal within insert statement itself.
- best way deal code-behind.
- best way deal within insert statement itself.
none. that's not should it.
- best way deal code-behind.
use white-list, not black-list. html encode everything, decode specific tags allowed.
it's reasonable able specify tags can used safely, it's not reasonable able catch every possible exploit.
