Introduction
It is often required to let users upload textual data that will later be displayed by a web browser. A perfect example of this case is the interface created for the code camp website where presenters need to upload a description of their presentation. Since what the user is entering will ultimately be displayed in a web browser by a different user, it is important not to let certain tags such as <script></script> be rendered. The reason is that if the user were to input the following text:
The result would be that when some unsuspecting user goes to that page, they will see a "hello" dialog pop up on their screen. Even worse, they may find cookies stolen, nasty redirections or other malicious behavior caused by this executing javascript. The solution to this problem is to keep bad tags from ever being sent to the client's browser. This article gives a step by step method for doing this successfully.
The Solution
The solution is to store the information the user typed into the browser as encoded text. That is, things like <script></script> will be automatically turned into something that looks like the following.
The benefit of this is that if this information is redisplayed in the browser it will show exactly as it is above. The tags above will not actually cause any code to be executed in the browser. The problem then becomes what if you want some of the tags such as <p></p>, <b></b> or <i></i> to be rendered as tags? No problem, just some simple String.Replace commands and you are back in business.
So, as promised, here is the step by step.
First, when saving the string to the database, use the following expression.
Then, write a small function that will take the encoded string and only fix the tags you are interested such as paragraph, bold and italics. Here is a sample function used for that process.
To use the function, you would populate a Label control as follows:
Then, you would put a function in your codebehind that calls ConvertEncodedHTMLToRealHTML as follows:
Conclusion
You now have a safe way to store full html in your database and display it safely. This method only displays certain html tags. You can of course expand the set of tags it stores as well use other methods to make the html safe to execute. The method presented here is just one very simple method.
That is it! You now have a safe way to store html in your database and then redisplay it.
About Peter Kellner
 |
Sorry, no bio is available
View complete profile here.
|
You might also be interested in the following related blog posts
How to create a DropDownList with ASP.NET MVC
read more
Rich Tooltips With jQuery
read more
LINQ to SQL, Lazy Loading and Prefetching
read more
Html Encoding Code Blocks With ASP.NET 4
read more
WebAii Testing Framework: From HTML to XAML and Back -- RadHtmlPlaceholder
read more
On the Fly DropDown Editing with jQuery
read more
Take Caution with WinForms DataGridView RowPrePaint
read more
Reporting Release History : Q2 2009 SP1 (version 3.1.9.807)
read more
Customizing the SharePoint ECB with Javascript, Part 2
read more
Did you know about protocol-relative hyperlinks?
read more
|
|
Please login to rate or to leave a comment.