Home All Groups Group Topic Archive Search About

how to secure a .getstring result containing html..

microsoft.public.dotnet.security
Author
27 Mar 2006 8:24 PM
Paul
I am working with some existing code that creates a table in part by using
the .getString method of a dataset to put <td><tr>, etc. into the returned
data as in the following VB.Net example:    
Response.Write
rs.GetString(adClipString,,"</td><td></td><td>","</td></tr><tr><td>")

We have had a security audit and have been requested to sanitize the data
returned in the dataset. However, if I use Server.HTMLencode on the whole
thing it converts the <td>'s and such into written out text.

Can you use this type of implementation of the  .GetString method in a
secure way?

--
Paul
Web Developer

Author
27 Mar 2006 8:38 PM
Dominick Baier [DevelopMentor]
hi,

you first have to encode the text and afterwards selectively decode allowed
tags...

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Show quoteHide quote
> I am working with some existing code that creates a table in part by
> using the .getString method of a dataset to put <td><tr>, etc. into
> the returned data as in the following VB.Net example:
> Response.Write
> rs.GetString(adClipString,,"</td><td></td><td>","</td></tr><tr><td>")
>
> We have had a security audit and have been requested to sanitize the
> data returned in the dataset. However, if I use Server.HTMLencode on
> the whole thing it converts the <td>'s and such into written out text.
>
> Can you use this type of implementation of the  .GetString method in a
> secure way?
>
Author
27 Mar 2006 8:46 PM
Paul
Hey, that just might work, thanks for the suggestion...
--
Paul
Web Developer


Show quoteHide quote
"Dominick Baier [DevelopMentor]" wrote:

> hi,
>
> you first have to encode the text and afterwards selectively decode allowed
> tags...
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
> > I am working with some existing code that creates a table in part by
> > using the .getString method of a dataset to put <td><tr>, etc. into
> > the returned data as in the following VB.Net example:
> > Response.Write
> > rs.GetString(adClipString,,"</td><td></td><td>","</td></tr><tr><td>")
> >
> > We have had a security audit and have been requested to sanitize the
> > data returned in the dataset. However, if I use Server.HTMLencode on
> > the whole thing it converts the <td>'s and such into written out text.
> >
> > Can you use this type of implementation of the  .GetString method in a
> > secure way?
> >
>
>
>



Post Other interesting topics
ClickOnce and remembering permissions granted
Tightening the default CAS policy
How to encrypt a string with ProtectedData (.NET 2.0)
JavaScience CD versus book
Rights to get Data for Crystal reports
How do I deistinguis between a user and a group/role
bad encryption
GSSAPI bindings for C#/.NET
How do I configure the CA in win 2003 server?
Assembly Trust