Validating names that could contain symbols ie potentially malicious javascript

Question

0.00/5 (No votes)

See more:

One of my GUIs was giving a message “A potentially dangerous Request. Form value was detected from the client”
This is because names can contain <> characters.
To stop this message one can add ValidateRequest="false” to web.config.
This leaves the application vulnerable to malicious input eg

http://www.thegeekstuff.com/2012/02/xss-attack-examples/

If the GUI converts <> to escape characters the stored procedure will need to convert them back, so I could still get malicious javascript when the browser displays the name.

The only consolation I can think of is that the name is limited to 90 characters. How long would a string of javascript need to be to act maliciously?

This link gives some tags to look out for, but is not exhaustive.

http://msdn.microsoft.com/en-us/library/ff649310.aspx
Any suggestions? I'm using visual studio 2008 with asp.net 3.5 - C#

Posted 31-Oct-13 1:17am

Alhal

Updated 31-Oct-13 1:30am

phil.o

v2

Add a Solution

Comments

Mike Meinz 31-Oct-13 9:40am

Change the rule. Make a new rule. Names cannot contain < or >.

Alhal 31-Oct-13 11:44am

Experts exchange advised me to store them as escape characters in the database. The browser will render them as <>. Does that make sense to you?
http://www.experts-exchange.com/Programming/Languages/Scripting/JavaScript/Q_28281978.html

Mike Meinz 31-Oct-13 17:12pm

Like I said, change the rules and don't allow < and > in names. Problem solved!

Alhal 1-Nov-13 5:30am

We receive them from suppliers. They are unit trust names, so that's not an option.

Mike Meinz 1-Nov-13 7:33am

Two options:

1. Tell your suppliers to change the way they submit these names so that < and > are not in them. Suppliers want to continue to be suppliers so they generally will comply.

2. Replace > with > and < with <. The new values will display correctly in an HTML document (web page).

Alhal 1-Nov-13 7:49am

You're right. I'll have to go for the second option.

Alhal 1-Nov-13 7:55am

How do I flag Mike's comment as an answer.

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)