views:

48

answers:

1

Hello, I have a question regarding ANTIXSS implementation. If I was to read values from a textbox on a page and store it into a database directly and then read value from the database and insert it into a textbox, then is there a chance that the tag or similar could be executed in the process ? Regards, Andy

+1  A: 

It is best to assume that all user inputted data is potentially malicious. Don't encode input based on usage as your usage of the data may change - always encode user inputted values and you will have effectively removed any potential problems.

Andrew Hare
Always always always always ALWAYS. I don't care if it's in your admin control panel. ALWAYS. When I was younger I used to go around to websites, pasting linux shutdown commands/table wipes into text boxes, and hitting submit, waiting a few, and refreshing. It was endlessly entertaining.
Sneakyness
thank you so much for your comment...I AM NOT AS WELL EXPERIENCED AS YOU IN THE SITUATION. CAN YOU PLEASE GIVE ME AN EXAMPLE. THE REASON I ASK IS MY CLIENT HAS EMAIL ADDRESS FIELD AND HE BELIEVES THAT THERE IS NO NEED TO IMPLEMENT ANTIXSS AS HTML CODE INSERTED INTO A TEXTBOX SENT TO AN INSERT QUERY AND READ FROM THE DATABASE USING A SELECT QUERY SENT BACK TO THE TEXTBOX CANNOT BE EXECUTED IN THE PROCESS. REGARDS, ANDY.
Andy
We are working on ASP.NET platform. Regards, Andy
Andy