Cross-Site Scripting & sqlDataReader

Ask a Question related to ASP.NET Security, Design and Development.

  1. vineetbatta #1

    Default Cross-Site Scripting & sqlDataReader

    I am using sqlDataReader for Showing data from the Data base.
    But if the Data from sql is having tags like <script>alert()</script> then it shows an alert box while binding.

    Is there any way of suppressing it this ..... ???? or is it a flaw?

    regards
    Vineet Batta

    vineetbatta Guest
    Reply With Quote Reply With Quote

    2. Similar Questions and Discussions

    1. Prevent cross-scripting from the same domain
      Hello, i have 2 swf files, example1.swf and example2.swf, both on the same domain. I load example2 in a Loader control (Flex) from example1. I...
    2. CFAdmin Cross Site Scripting
      We recently signed up with ScanAlert, and they are reporting a XSS vulnerablilty in the CF Aministration. Path /CFIDE/administrator/enter.cfm ...
    3. Cross-domain scripting with Flash Player 6
      I'm sure I'm missing something basic here, but for some reason I'm not able to access a text file on another domain when my movie is viewed with...
    4. Cross Site Scripting & Custom Error Pages
      Hi, I have been investigating CSS vulnerabilites within my application and have a question. If I added malicious script tags to the Url these are...
    5. RegEx for XSS (Cross-Site Scripting)?
      Trying to use the RegularExpressionValidator with the following expression which functions well when using code with the...
  2. Ken Schaefer #2

    Default Re: Cross-Site Scripting & sqlDataReader

    Use HTMLEncode() when outputting the data.

    It replaces things like < with &lt; etc. It is not a bug - you are using
    reserved characters in your text, and you need to replace those reserved
    characters with the appropriate HTML Entities that are defined in the HTML
    specifications. HTMLEncode() does this for you.

    Cheers
    Ken

    "vineetbatta" <anonymous@discussions.microsoft.com> wrote in message
    news:B2FE8EF1-A473-458F-9659-96A059BED429@microsoft.com...
    : I am using sqlDataReader for Showing data from the Data base.
    : But if the Data from sql is having tags like <script>alert()</script> then
    it shows an alert box while binding.
    :
    : Is there any way of suppressing it this ..... ???? or is it a flaw?
    :
    : regards
    : Vineet Batta
    :


    Ken Schaefer Guest
    Reply With Quote Reply With Quote
  3. avnrao #3

    Default Re: Cross-Site Scripting & sqlDataReader

    use HttpServerUtility.UrlEncode while binding.

    Av.
    "vineetbatta" <anonymous@discussions.microsoft.com> wrote in message
    news:B2FE8EF1-A473-458F-9659-96A059BED429@microsoft.com...
    >I am using sqlDataReader for Showing data from the Data base.
    > But if the Data from sql is having tags like <script>alert()</script> then
    > it shows an alert box while binding.
    >
    > Is there any way of suppressing it this ..... ???? or is it a flaw?
    >
    > regards
    > Vineet Batta
    >

    avnrao Guest
    Reply With Quote Reply With Quote
  4. Ken Schaefer #4

    Default Re: Cross-Site Scripting & sqlDataReader

    You mean HTMLEncode()?

    URLEncode() is for formatting text to be placed into a URL (eg as part of a
    querystring)

    Cheers
    Ken

    "avnrao" <avn@newsgroups.com> wrote in message
    news:eI$54TyNEHA.1396@TK2MSFTNGP10.phx.gbl...
    : use HttpServerUtility.UrlEncode while binding.
    :
    : Av.
    : "vineetbatta" <anonymous@discussions.microsoft.com> wrote in message
    : news:B2FE8EF1-A473-458F-9659-96A059BED429@microsoft.com...
    : >I am using sqlDataReader for Showing data from the Data base.
    : > But if the Data from sql is having tags like <script>alert()</script>
    then
    : > it shows an alert box while binding.
    : >
    : > Is there any way of suppressing it this ..... ???? or is it a flaw?
    : >
    : > regards
    : > Vineet Batta
    : >
    :
    :


    Ken Schaefer Guest
    Reply With Quote Reply With Quote
  5. avnrao #5

    Default Re: Cross-Site Scripting & sqlDataReader

    thats true. its HTMLEncode().

    Av.

    "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
    news:OfdW3eyNEHA.3492@TK2MSFTNGP10.phx.gbl...
    > You mean HTMLEncode()?
    >
    > URLEncode() is for formatting text to be placed into a URL (eg as part of
    > a
    > querystring)
    >
    > Cheers
    > Ken
    >
    > "avnrao" <avn@newsgroups.com> wrote in message
    > news:eI$54TyNEHA.1396@TK2MSFTNGP10.phx.gbl...
    > : use HttpServerUtility.UrlEncode while binding.
    > :
    > : Av.
    > : "vineetbatta" <anonymous@discussions.microsoft.com> wrote in message
    > : news:B2FE8EF1-A473-458F-9659-96A059BED429@microsoft.com...
    > : >I am using sqlDataReader for Showing data from the Data base.
    > : > But if the Data from sql is having tags like <script>alert()</script>
    > then
    > : > it shows an alert box while binding.
    > : >
    > : > Is there any way of suppressing it this ..... ???? or is it a flaw?
    > : >
    > : > regards
    > : > Vineet Batta
    > : >
    > :
    > :
    >
    >

    avnrao Guest
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may post replies
  • You may not post attachments
  • You may not edit your posts

Forum Rules


1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139