ansaurus

Question

Answer 1

A:

To be honest I am not aware of an XSS attack that involves slashes and dots. However many characters have an htmlentitiy equivalent and it is making this conversion, but i don't think this is due to a security concern.

In terms of security the nasty characters are these 4: '"<>. Another thing, the method AntiXss.HtmlEncode() should be used on user input to prevent XSS. It doesn't make much sense to run this function on the date which cannot be influenced by an attacker... (Unless of course your defending against time travelers.)

Rook 2010-07-16 21:30:34

Well the date is set by the user. I guess it would die if trying to get into the database(since it would not be a datetime). On a side note is better to encode input to the db or let everything in and encode output to user. Or do both?

chobo2 2010-07-16 21:36:21

How about number stored as ints? Could they right it in int's liek they can write it in hex?

chobo2 2010-07-16 21:37:03

Now that I think of it your right probably does not make sense to do it on dates. I guess I was thinking well the users could change it to anything(since it gets changed to a string) but I guess that is kinda hard to make a string when the date is stored in a datetime in the database and thats where I get it. So I am guessing it would be the same thing with int's, bits, etc?

chobo2 2010-07-16 21:41:02

@chobo2 Its *usually* better to store the data in its actual form because it makes it easier to do comparisons. In this case you might want to select all rows after a particular date and if it was encoded you couldn't do that. An XSS vulnerability only exists if the attacker can force another browser to execute JavaScript, thus storing `<script>alert(/xss/)</script>` in the database isn't a vulnerability, but printing it out is.

Rook 2010-07-16 21:42:49

Ya I guess my thinking(or lack of thinking) was that for some reason they could store that in the database where my date was(even though it was a datetime)

chobo2 2010-07-16 22:02:10

The next version (a couple of weeks away) is slightly more circumspect in what it encodes, especially around the basic punctuation. But yes, don't store encoded data, encode at the point of rendering.

blowdart 2010-08-03 01:50:43

Answer 2

A:

Instead of encoding the date just do a sanity check on the format of the date string. As long as its a well formed date there is no danger of a script injection or other shenanigans.

jasongetsdown 2010-07-16 21:42:30

ansaurus

tags:

views:

answers:

Question about Html Encoding

related questions