Solved

HTML encoding with MVC2?

Posted on 2010-09-24
6
797 Views
Last Modified: 2012-05-10
In the Nerd Dinner Chapter 1 I read "You should be careful to always HTML-encode any user-entered values to avoid HTML and JavaScript injection attacks"

Please explain how HTML encoding works and what tools are avilable.  Also, a simple example of what an HTML or JavaScript injection attack would be great.

Thanks,
newbieweb
0
Comment
Question by:newbieweb
  • 2
  • 2
  • 2
6 Comments
 
LVL 40

Assisted Solution

by:gurvinder372
gurvinder372 earned 150 total points
ID: 33752946
http://robin.mytechtip.com/2009/02/04/encode-decode-html-in-java/

see the thing is, if my response/request is having javascript in it, and my code is evaluating the string somewhere (say using eval() method), then it can possibly lead to security lapse and other surprising behaviors (hope you understood :))
http://www.w3schools.com/jsref/jsref_eval.asp
0
 

Author Comment

by:newbieweb
ID: 33752981
Is there any way you could give me a tiny example of bad HTML that gets "fixed" by some encoder?  I don't yet understand what an eval() method would look for or change to solve the problem.
0
 
LVL 40

Assisted Solution

by:gurvinder372
gurvinder372 earned 150 total points
ID: 33753013
0
DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

 
LVL 20

Accepted Solution

by:
ChristoferDutz earned 350 total points
ID: 33753026
Encoding replaces any special characters with codes. This allows the user to send complex content using simple ASCII charset. For example there is URL-Encoding in which characters that are not allowed in URLs with codes ... " " --> "%20" (Spaces are replaced by "%20" ... the % sign indicates the beginning of a code followed by two chars defining the encoded value). Another conversion is the conversion of HTML entites (The "<" char is escaped by "<" (The & char indicating the beginning of a code and the ";" indicating the end of it).

By encoding a string, you can "disable" its meaning (In Xml for example the "<" and ">" signs are special as they indicate tags. By escaping them to "<" and ">" the browser can treat them as normal text.

This is where JavaScript injection can become dangerous: .. immagine you have a login screen and if the login fails you display "Login: {here comes the value you entered} invalid!" (You output the text entered in the response. If somebody enters "Paul" and the user was invalid then it outputs "Login: Paul invalid!" ... but if an evil person enters "Paul
0
 
LVL 20

Assisted Solution

by:ChristoferDutz
ChristoferDutz earned 350 total points
ID: 33753041
Grrrrr ... good example of escaping ;-) ... the sencance should be:
"By encoding a string, you can "disable" its meaning (In Xml for example the "<" and ">" signs are special as they indicate tags. By escaping them to "& l t ;" and "& g t ;" the browser can treat them as normal text."
0
 

Author Closing Comment

by:newbieweb
ID: 33753079
Thanks. That helps.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Have you tried to learn about Unicode, UTF-8, and multibyte text encoding and all the articles are just too "academic" or too technical? This article aims to make the whole topic easy for just about anyone to understand.
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
In this tutorial viewers will learn how add a full-size background image to a webpage using CSS3. Create a new HTML document with an internal stylesheet.: In CSS, define the html element to have a background image. Use a high resolution image.: In t…
The viewer will learn the benefit of using external CSS files and the relationship between class and ID selectors. Create your external css file by saving it as style.css then set up your style tags: (CODE) Reference the nav tag and set your prop…

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now