[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 804
  • Last Modified:

HTML encoding with MVC2?

In the Nerd Dinner Chapter 1 I read "You should be careful to always HTML-encode any user-entered values to avoid HTML and JavaScript injection attacks"

Please explain how HTML encoding works and what tools are avilable.  Also, a simple example of what an HTML or JavaScript injection attack would be great.

Thanks,
newbieweb
0
newbieweb
Asked:
newbieweb
  • 2
  • 2
  • 2
4 Solutions
 
Gurvinder Pal SinghCommented:
http://robin.mytechtip.com/2009/02/04/encode-decode-html-in-java/

see the thing is, if my response/request is having javascript in it, and my code is evaluating the string somewhere (say using eval() method), then it can possibly lead to security lapse and other surprising behaviors (hope you understood :))
http://www.w3schools.com/jsref/jsref_eval.asp
0
 
newbiewebSr. Software EngineerAuthor Commented:
Is there any way you could give me a tiny example of bad HTML that gets "fixed" by some encoder?  I don't yet understand what an eval() method would look for or change to solve the problem.
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
ChristoferDutzCommented:
Encoding replaces any special characters with codes. This allows the user to send complex content using simple ASCII charset. For example there is URL-Encoding in which characters that are not allowed in URLs with codes ... " " --> "%20" (Spaces are replaced by "%20" ... the % sign indicates the beginning of a code followed by two chars defining the encoded value). Another conversion is the conversion of HTML entites (The "<" char is escaped by "<" (The & char indicating the beginning of a code and the ";" indicating the end of it).

By encoding a string, you can "disable" its meaning (In Xml for example the "<" and ">" signs are special as they indicate tags. By escaping them to "<" and ">" the browser can treat them as normal text.

This is where JavaScript injection can become dangerous: .. immagine you have a login screen and if the login fails you display "Login: {here comes the value you entered} invalid!" (You output the text entered in the response. If somebody enters "Paul" and the user was invalid then it outputs "Login: Paul invalid!" ... but if an evil person enters "Paul
0
 
ChristoferDutzCommented:
Grrrrr ... good example of escaping ;-) ... the sencance should be:
"By encoding a string, you can "disable" its meaning (In Xml for example the "<" and ">" signs are special as they indicate tags. By escaping them to "& l t ;" and "& g t ;" the browser can treat them as normal text."
0
 
newbiewebSr. Software EngineerAuthor Commented:
Thanks. That helps.
0

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 2
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now