aspnet-scotland
asked on
How do I encode user input to tackle XSS issues?
I have the below textbox control within my asp.net usercontrol:
Linked to the above is the below code behind methods:
Within "SearchTextboxTerm" I can run javascript code which I think is the source of the issue. How can I prevent milicious code being entered through my controls?
Thanks.
<asp:TextBox
ID="SearchTextboxTerm"
runat="server"
CssClass="cleardefault listSearchTextBox"
ToolTip="Enter search term"
ontextchanged="btnSearchTerm_Click" >
</asp:TextBox>
<asp:Button
ID="btnSearch"
CssClass="listsearchButton"
runat="server"
Text="Search"
onclick="btnSearchTerm_Click" />
Linked to the above is the below code behind methods:
protected void btnSearchTerm_Click(object sender, EventArgs e)
{
search = SearchTextboxTerm.Text;
month = ddMonths.SelectedValue;
year = ddYear.SelectedValue;
LoadItems(search,month,year);
}
protected void LoadItems(string searchTerm,string month,string year)
{
if (!(listName == null))
{
SPSite objSite = SPContext.Current.Site;
SPWeb objWeb = objSite.OpenWeb();
SPQuery query = new SPQuery();
string returnURL = Request.Url.ToString();
string returnPage = SPContext.Current.Item["Title"].ToString();
SPList pressReleases = objWeb.Lists["Press Releases"];
hypViewAll.NavigateUrl = Request.Url.AbsolutePath.ToString();
lblSearchText.Visible = true;
lblMess.Visible = true;
repItems.Visible = true;
if (searchTerm == "" || searchTerm == null)
{
query.Query = "<OrderBy><FieldRef Name='Created' Ascending='False'/></OrderBy>";
}
else if (!(searchTerm == "" || searchTerm == null))
{
searchedText.Visible = true;
searchedText.Text = SPHttpUtility.HtmlEncode("You searched for <span class=\"viewSelectedNoMargin\">") + searchTerm + SPHttpUtility.HtmlEncode("</span>");
query.RowLimit = 100;
query.Query = "<Where><Contains><FieldRef Name='Title'/><Value Type='Text'>" + searchTerm + "</Value></Contains></Where><OrderBy><FieldRef Name='Created' Ascending='False'/></OrderBy>";
ddMonths.SelectedValue = month;
ddYear.SelectedValue = year;
}
DataTable dt = pressReleases.GetItems(query).GetDataTable();
if (!(dt == null))
{
dt.Columns.Add("URL");
dt.Columns.Add("CreatedMonth");
dt.Columns.Add("CreatedYear");
foreach (DataRow row in dt.Rows)
{
DateTime createdDate = Convert.ToDateTime(row["Created"]);
if (row["Item_x0020_Description"].ToString().Length > 450)
{
row["Item_x0020_Description"] = row["Item_x0020_Description"].ToString().Substring(0, 450) + "...";
}
row["Created"] = row["Created"].ToString().Substring(0, row["Created"].ToString().LastIndexOf(":"));
row["CreatedMonth"] = createdDate.Month;
row["CreatedYear"] = createdDate.Year;
row["URL"] = objWeb.Url + SPHttpUtility.HtmlUrlAttributeEncode("/Pages/ReadMore.aspx?ListName=") + listName + SPHttpUtility.HtmlUrlAttributeEncode("&ItemID=") + row[SPHttpUtility.HtmlUrlAttributeEncode("ID")].ToString() + SPHttpUtility.HtmlUrlAttributeEncode("&From=") + returnURL + SPHttpUtility.HtmlUrlAttributeEncode("&WebID=") + objWeb.ID + SPHttpUtility.HtmlUrlAttributeEncode("&Page=") + returnPage;
}
DataView view = new DataView(dt);
if ((!(month == "0")) && (!(year == "0")))
{
view.RowFilter = "CreatedMonth =" + month + "and CreatedYear=" + year;
}
else if ((!(month == "0")) && year == "0")
{
view.RowFilter = "CreatedMonth =" + month;
}
else if ((month == "0") && (!(year == "0")))
{
view.RowFilter = "CreatedYear =" + year;
}
ddMonths.SelectedValue = month;
ddYear.SelectedValue = year;
int rowCount = view.Count;
if (!(rowCount == 0))
{
PagedDataSource objPds = new PagedDataSource();
objPds.DataSource = view;
objPds.AllowPaging = true;
objPds.PageSize = 8;
objPds.CurrentPageIndex = CurrentPage;
if (rowCount > objPds.PageSize)
{
lblCurrentPage.Text = "Page: " + (CurrentPage + 1).ToString() + " of "
+ objPds.PageCount.ToString();
// Disable Prev or Next buttons if necessary
cmdPrev.Enabled = !objPds.IsFirstPage;
cmdNext.Enabled = !objPds.IsLastPage;
cmdNext.Visible = true;
cmdPrev.Visible = true;
cmdPrev.CssClass = "listpagingButton";
cmdNext.CssClass = "listpagingButton";
}
else
{
objPds.CurrentPageIndex = 0;
lblCurrentPage.Visible = false;
cmdNext.Visible = false;
cmdPrev.Visible = false;
}
lblMess.Text = rowCount + " " + listName;
repItems.DataSource = objPds;
}
else
{
cmdNext.Visible = false;
cmdPrev.Visible = false;
lblCurrentPage.Text = "";
lblMess.Text = "No results";
repItems.Visible = false;
}
repItems.DataBind();
}
else
{
cmdNext.Visible = false;
cmdPrev.Visible = false;
lblCurrentPage.Text = "";
lblMess.Text = "No results";
repItems.Visible = false;
}
}
}
Within "SearchTextboxTerm" I can run javascript code which I think is the source of the issue. How can I prevent milicious code being entered through my controls?
Thanks.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER