I have a multiline ASP.NET Textbox...
When the user enters in a > or < character then clicks submit... the page blows up.
Its probably because these characters are XML tag delimeters. Is there an easy way to keep ASP.NET from choking on these?That is used to protect your app from cross-site scripting, it can be disable with the page directive on your aspx page and/or with web.config. I wouldn't recommend disabling it though, if you must let your users enter those characters then you should look into system.web.httpUtility.htmlDecode, that will parse the strings and decode them so that you don't get that error. Good luck!You can also manually use a replace statement to change out < with < and > with > but you are going to need to do something like this:
validateRequest="false" in your page directive.
I also suggest you parse out the comment codes on your website before they hit an sql statement... otherwise you could be in danger of someone attacking your website with sql injection.<!-- m --><a class="postlink" href="http://www.devx.com/security/Article/20898">http://www.devx.com/security/Article/20898</a><!-- m -->
There's a good article that describes cures for the most common .Net security issues and it talks about htmlDecode and htmlEncode for XSS.That article had a bit on encryption, I also reccomend <!-- m --><a class="postlink" href="http://aspnet.4guysfromrolla.com/articles/112002-1.aspx">http://aspnet.4guysfromrolla.com/articles/112002-1.aspx</a><!-- m --> , this is about salting a database, and this is a follow up article to a good article on md5 databse encryption... but you only need to consider something like this unless you are holding credit card numbers or something. In which case you would most likely be using https too. 4guysfromrolla.com has a handful of great security articles.i think the best solution to this problem is using substring by replacing < or > by ascii code
happy surfing...Originally posted by NashCA
i think the best solution to this problem is using substring by replacing < or > by ascii code
happy surfing... That has already been said, the replace statement.
When the user enters in a > or < character then clicks submit... the page blows up.
Its probably because these characters are XML tag delimeters. Is there an easy way to keep ASP.NET from choking on these?That is used to protect your app from cross-site scripting, it can be disable with the page directive on your aspx page and/or with web.config. I wouldn't recommend disabling it though, if you must let your users enter those characters then you should look into system.web.httpUtility.htmlDecode, that will parse the strings and decode them so that you don't get that error. Good luck!You can also manually use a replace statement to change out < with < and > with > but you are going to need to do something like this:
validateRequest="false" in your page directive.
I also suggest you parse out the comment codes on your website before they hit an sql statement... otherwise you could be in danger of someone attacking your website with sql injection.<!-- m --><a class="postlink" href="http://www.devx.com/security/Article/20898">http://www.devx.com/security/Article/20898</a><!-- m -->
There's a good article that describes cures for the most common .Net security issues and it talks about htmlDecode and htmlEncode for XSS.That article had a bit on encryption, I also reccomend <!-- m --><a class="postlink" href="http://aspnet.4guysfromrolla.com/articles/112002-1.aspx">http://aspnet.4guysfromrolla.com/articles/112002-1.aspx</a><!-- m --> , this is about salting a database, and this is a follow up article to a good article on md5 databse encryption... but you only need to consider something like this unless you are holding credit card numbers or something. In which case you would most likely be using https too. 4guysfromrolla.com has a handful of great security articles.i think the best solution to this problem is using substring by replacing < or > by ascii code
happy surfing...Originally posted by NashCA
i think the best solution to this problem is using substring by replacing < or > by ascii code
happy surfing... That has already been said, the replace statement.