tags:

views:

62

answers:

3
+3  Q: 

Is it dangerous to store user-enterable text into a hidden form via javascript?

In my asp.net MVC application I am using in place editors to allow users to edit fields without having a standard form view. Unfortunately, since I am using Linq to Sql combined with my data mapping layer I cannot just update one field at a time and instead need to send all fields over at once.

So the solution I came up with was to store all my model fields into hidden fields, and provide span tags that contain the visible data (these span tags become editable due to my jquery plugin). When a user triggers a save of their edits of a field, jquery then takes their value and places it in the hidden form, and sends the whole form to the server to commit via ajax.

When the data goes into the hidden field originally (page load) and into the span tags the data is properly encoded, but upon the user changing the data in the contenteditable span field, I just run 

$("#hiddenfield").val($("#spanfield").html();

Am I opening any holes this method? Obviously the server also properly encodes stuff prior to database entry.

+2  A: 

Assuming your server is properly detecting and dealing with XSS attempts, there's no way a malicious user could submit an attack for another user. Unless someone wants to hack themselves(?), it seems secure to me.

Allain Lalonde  2010-04-24 18:54:19
That's what I was thinking but I wanted to make sure before I made any assumptions! :)
KallDrexx  2010-04-24 18:56:25
A: 

There's no difference here than if you were providing visible input fields and having that form submitted. Simply shuffling the data into hidden fields vs. visible ones would not make a difference.

BradBrening  2010-04-24 18:57:29
Except that the content of the fields gets interpreted when it's embedded in the page. A field containing <img src="..." onload="alert('test')"> will behave differently then having that code embedded in your page.
Allain Lalonde  2010-04-24 21:25:56
+2  A: 

I find this approach pretty unsavory. I guess the overall soundness of this scheme depends on what fields you're actually populating this way --

For example, if you store fields that are supposed to be set only once (at the time of record creation) and never changed, this will allow a (malicious) user to change the field values mid-stream by editing a hidden field before posting (very easy to do, for example, with Firebug).

Bosh  2010-04-24 19:17:20
I agree, but I'm running out of ideas of how to handle this without retrieving a whole record just to update one field.
KallDrexx  2010-04-24 23:51:07

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security