Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

HTML encoding with MVC2?

Posted on 2010-09-24
6
Medium Priority
?
802 Views
Last Modified: 2012-05-10
In the Nerd Dinner Chapter 1 I read "You should be careful to always HTML-encode any user-entered values to avoid HTML and JavaScript injection attacks"

Please explain how HTML encoding works and what tools are avilable.  Also, a simple example of what an HTML or JavaScript injection attack would be great.

Thanks,
newbieweb
0
Comment
Question by:newbieweb
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
6 Comments
 
LVL 40

Assisted Solution

by:Gurvinder Pal Singh
Gurvinder Pal Singh earned 600 total points
ID: 33752946
http://robin.mytechtip.com/2009/02/04/encode-decode-html-in-java/

see the thing is, if my response/request is having javascript in it, and my code is evaluating the string somewhere (say using eval() method), then it can possibly lead to security lapse and other surprising behaviors (hope you understood :))
http://www.w3schools.com/jsref/jsref_eval.asp
0
 

Author Comment

by:newbieweb
ID: 33752981
Is there any way you could give me a tiny example of bad HTML that gets "fixed" by some encoder?  I don't yet understand what an eval() method would look for or change to solve the problem.
0
 
LVL 40

Assisted Solution

by:Gurvinder Pal Singh
Gurvinder Pal Singh earned 600 total points
ID: 33753013
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 20

Accepted Solution

by:
ChristoferDutz earned 1400 total points
ID: 33753026
Encoding replaces any special characters with codes. This allows the user to send complex content using simple ASCII charset. For example there is URL-Encoding in which characters that are not allowed in URLs with codes ... " " --> "%20" (Spaces are replaced by "%20" ... the % sign indicates the beginning of a code followed by two chars defining the encoded value). Another conversion is the conversion of HTML entites (The "<" char is escaped by "<" (The & char indicating the beginning of a code and the ";" indicating the end of it).

By encoding a string, you can "disable" its meaning (In Xml for example the "<" and ">" signs are special as they indicate tags. By escaping them to "<" and ">" the browser can treat them as normal text.

This is where JavaScript injection can become dangerous: .. immagine you have a login screen and if the login fails you display "Login: {here comes the value you entered} invalid!" (You output the text entered in the response. If somebody enters "Paul" and the user was invalid then it outputs "Login: Paul invalid!" ... but if an evil person enters "Paul
0
 
LVL 20

Assisted Solution

by:ChristoferDutz
ChristoferDutz earned 1400 total points
ID: 33753041
Grrrrr ... good example of escaping ;-) ... the sencance should be:
"By encoding a string, you can "disable" its meaning (In Xml for example the "<" and ">" signs are special as they indicate tags. By escaping them to "& l t ;" and "& g t ;" the browser can treat them as normal text."
0
 

Author Closing Comment

by:newbieweb
ID: 33753079
Thanks. That helps.
0

Featured Post

Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Finding original email is quite difficult due to their duplicates. From this article, you will come to know why multiple duplicates of same emails appear and how to delete duplicate emails from Outlook securely and instantly while vital emails remai…
Q&A with Course Creator, Mark Lassoff, on the importance of HTML5 in the career of a modern-day developer.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question