Hello, I have a question regarding ANTIXSS implementation. If I was to read values from a textbox on a page and store it into a database directly and then read value from the database and insert it into a textbox, then is there a chance that the tag or similar could be executed in the process ? Regards, Andy
+1
A:
It is best to assume that all user inputted data is potentially malicious. Don't encode input based on usage as your usage of the data may change - always encode user inputted values and you will have effectively removed any potential problems.
Andrew Hare
2009-07-28 00:53:24
Always always always always ALWAYS. I don't care if it's in your admin control panel. ALWAYS. When I was younger I used to go around to websites, pasting linux shutdown commands/table wipes into text boxes, and hitting submit, waiting a few, and refreshing. It was endlessly entertaining.
Sneakyness
2009-07-28 00:55:07
thank you so much for your comment...I AM NOT AS WELL EXPERIENCED AS YOU IN THE SITUATION. CAN YOU PLEASE GIVE ME AN EXAMPLE. THE REASON I ASK IS MY CLIENT HAS EMAIL ADDRESS FIELD AND HE BELIEVES THAT THERE IS NO NEED TO IMPLEMENT ANTIXSS AS HTML CODE INSERTED INTO A TEXTBOX SENT TO AN INSERT QUERY AND READ FROM THE DATABASE USING A SELECT QUERY SENT BACK TO THE TEXTBOX CANNOT BE EXECUTED IN THE PROCESS. REGARDS, ANDY.
Andy
2009-07-28 01:01:26
We are working on ASP.NET platform. Regards, Andy
Andy
2009-07-28 01:02:11