Displaying User Input - Part 2

Thursday, August 28, 2003

Back in June I posted a cryptic little entry that highlighted a potential issue that can arise when displaying user input.

http://weblogs.asp.net/dneimke/posts/8566.aspx

By now we all know that, when rendering user input to the browser that it needs to be HtmlEncoded right... but, what about if you need to display user input into a TextBox? HtmlEncoding it will make it unreadable and (as per my initial post) doing nothing with it will leave you exposed if the user entered something like:

 </TEXTAREA><SCRIPT>self.location = 'raceyRhonda.com'</SCRIPT>

My solution to this problem is to emit the user input into a client-side variable and then load it into the TextBox at runtime. Here is a silly demo the explains what I'm blabbing about:

************ WEB FORM **************** <HTML><body> <form id="Form1" method="post" runat="server"> <P> Enter an expression and it will be emitted into the Textbox on PostBack... <BR> <asp:TextBox id="newTestTextBox" runat="server" TextMode="MultiLine" Rows="5" Columns="40"></asp:TextBox> <asp:Button id="testButton" runat="server" Width="72px" Text="Test" /> </P> <P> <HR width="100%" SIZE="1"> </P> <P>Your pattern is: <BR> <asp:TextBox id="outputTextBox" runat="server" Width="504px" /> <BR> <asp:Label id="outputLabel" runat="server"></asp:Label></P> </form> </body></HTML> ************ CODEBEHIND ************** private void testButton_Click(object sender, System.EventArgs e) { string source = CleanString( newTestTextBox.Text ) ; EmitLoadScript( source ) ; outputLabel.Text = Server.HtmlEncode( newTestTextBox.Text ) ; } private string CleanString( string s ) { string tmp = s ; if( tmp.Trim().Length > 0 ) { tmp = Regex.Replace( tmp, @"(?'cleanItem'[\\\/'""])", "\\${cleanItem}" ).Trim() ; } return tmp ; } private void EmitLoadScript( string s ) { StringBuilder sb = new StringBuilder() ; sb.AppendFormat( @"{0}<script>{0}", Environment.NewLine ) ; sb.Append( @"document.getElementById( """ ) ; sb.AppendFormat( @"{0}"" ).value =""{1}"" ;", outputTextBox.ClientID, s ) ; sb.AppendFormat( "{0}</script>{0}", Environment.NewLine ) ; Page.RegisterStartupScript( "populateTB", sb.ToString() ) ; }

Well you don't ralyy *NEED* to HtmlEncode all user input, you just need to make sure they don't do anything naughty... What I've done for a recent application is perform an XSLT transform on the incoming user content - this stips out all malicious and unwanted HTML content but leaves tags I do allow - some formatting ones... I do this by converting the incoming data to XML using the excellent SGML parser then applying the transform before saving to DB. This has been competely foolproof so far - the fall back if the conversion fails is of course to HtmlEncode...

Scott Galloway - Thursday, August 28, 2003 2:48:00 PM

When you set the Text property of a TextBox (multiline or not) on a WebForm, the text is automatically HTML Encoded. That's why running it through Server.HtmlEncode yourself yields goofy results, it's encoding the already encoded text.

Kurt - Thursday, August 28, 2003 5:13:00 PM

<SCRIPT>self.location 'www.microsoft.com'</SCRIPT>

test - Friday, October 17, 2003 1:46:00 PM

<SCRIPT language="Javascript">

self.location='www.microsoft.com';

alert("here");

</SCRIPT>

test - Friday, October 17, 2003 1:47:00 PM

4 Comments