I'm studying a solution to manage data coming from a textarea edited by users.
I'll have to give the chance to the users to add some basic HTML tags (links, bold, list and something else).
My big concern is about the security.
The data will be saved in a mySql db.
Any advice in order to avoid as much as possible security problems?
What is the best way to save this kind of text in a database ?
Thank you
The best way to solve this is to make a whitelist of the allowed tags. Through JavaScript you can warn the users that they are entering invalid data, but to secure your data at the server side you need to strip them out of the content. A script tag for example should be handled with care. If you want your users to enter those, and other users to be able to view it, some more complex handling is needed.
A neat solution is to escape all the white listed tags and to encode the other ones as characters, so that a <script> tag becomes <script>. That way, if you output it in your html it won't be seen as a valid tag but as characters placed after each other.
If you need a more specific solution for your own language please provide some more details, but this is sufficient as a global concept.
Related
I am inserting html in database for the first time so I need some advice am I making it right and safe.
I have class with property:
[AllowHtml] public property Description {get;set}
In View I have a tinyMCE (on text area) where user input his data.
When I display that html later I use:
#Html.Raw(Model.Description)
I don't know should I do something else to prevent some attack on site.
I have tried to input:
<script>alert('attack');</script>
but nothing happens it saves it in database and display as a normal text later.
Also I wonder if user leave some tag unclosed can he break my layout somehow.
What are smart steps when dealing with scenario like this?
What should happen is that the html should be encoded before it is written to the database. If you look in your database you should see something like this (or at least if things are safe you should):
<script>alert('attack');</script>
Now when this is written to the page by html raw, it appear on screen as it did when it was submitted, but if you inspect the page you will still see the same thing.
ASP.Net actually makes it very difficult to write code that opens your site up to abuse, so you should generally be fine. It is worth doing some more reading around the topic though as it's good stuff to be aware of especially if mentoring others.
Some links:
Preventing Javascript and XSS attacks
http://msdn.microsoft.com/en-us/library/ff649310.aspx
You can use the Microsoft AntiXSS from the Windows Protection Library.
TinyMCE, AntiXSS, MVC3 and GetSafeHtmlFragment
Cheers.
I have a Rails application that has a search field that allows any visitor to search a database.
I'm hesitant to implement a Captcha because I'd like to keep the site clean and user-friendly.
However, I'd like to make it difficult for bots to try to harvest everything from the database by making tons of consecutive random queries. So I'm considering adding a Captcha that appears only if it looks like this is happening (e.g., the Captcha appears after a few bad searches).
Any suggestions for how to implement this? Should I try to use a session variable or keep track of IP addresses? Would I better off handling this issue at the server level (i.e., with an htaccess file)?
Consider using a honeypot. That means adding a form element that you hide with CSS. Bots cannot see that you've hidden the field and they will fill it in. Normal users will not fill it in.
Users can submit color palettes and I'd like to standardize the format of the hex codes submitted.
Is there a typical way to clean up/standardize this sort of user-submitted data?
In my case, there are four fields where users can enter a hex code. I ultimately want to store it without the pound sign. (So #000000 to 000000).
It's obviously easy to remove the pound sign, but where in the process it should be is what I'm not sure of.
Needs to be server-side as this data can be submitted via other methods than the browser (i.e. API).
Everywhere!
You'll definitely want to clean it up server-side, as that's (presumably) where any sort of processing that expects consistently-formatted data to appear, and that's also where you'll be sanitizing user input (which you're doing, of course, right?). Don't trust anything from a remote source on a server!
A bit of client-side auto-formatting wouldn't hurt, though; use javascript to automatically format things and impress your users while doing it!
Why not use Javascript to sanitize the data before passing it through to anything? You should be able to easily evaluate the string and make adjustments there before submitting it to your controller/action.
Building an asp.net mvc website that has to be multilingual and wondering if it's possible to store formatted text in a resource file and whether it makes sense.
Lots of pages are static and user can edit them and add their own formatting "Bold,italics etc.."
and was wondering what is the best way to approach it.
I dont want to create one page x language and storing in the database involves creating a structure to handle the same info in multiple languages.Seems hard to maintain.
Have you done it before? How did you do it
any suggestions
Thanks a lot
Is it possible?
Certainly.
Does it make sense?
It depends. I would not recommend resource files (via ResourceWriter) for storing dynamic content.
Your problem
Let me rephrase it (I am not sure if I understood you correctly). You want to give your users an ability to change presentation style. User will be able to change the style and that change would be somehow propagated to whatever languages the content is translated to.
In such case, I see some issues:
How to match English contents with translated one?
It is typical for translation to have different order and possibly different number of sentences. There is no way to match them unless...
Storing such information in resource files along with translatable strings would result in something that is hard to maintain. I believe you would need to either add formatting tags or content tags with styling information in order to achieve that. The result would be a mess; hardly readable, as tough to modify.
OK, so what can you do? Actually, what I could recommend is to create Customization Mechanism for CSS files. In your case you need:
Provide CSS classes as well as unique identifiers (HTML id attribute) to each structural elements (tags if you prefer), so that you have something like <div id="main" class="main"><p id="p1" class="normal">.... The id's will give users an ability to target precisely that element leaving others untouched (via #p1.normal { // definition here }).
Store CSS in the Database and create some editor for users.
Create a Handler to serve CSS from database upon web browser's request.
Even with such solution you won't avoid some problems. One is that you need to actually alter font family while translating into certain languages, so you might need language-based CSS files. Another problem pops up when user wants to put bold attribute on certain word - with such solution this is not possible (but to be honest if you want to allow that, this won't be i18n friendly for the reasons I mentioned earlier).
BTW. Bold fonts should be avoided for some languages. For example Chinese characters are pretty hard to read if you manage to output them with bold font.
If your users can post in multiple languages - its probably best to use a database to store the info and accompanying formatting. If it is for labels and other static text on the website - the resource files are a good solution. The resource files store the content as strings - but storing formatted text in there breaks the 'seperate the presentation from the logic' idealogy.
I'm building a publicly available web app. Because of this, I'll be validating every field as exhaustively as I can. I mean, if someone enters something that isn't valid, they will know exactly what it was (making it clear what they need to fix).
I've followed Scott Guthrie's examples in the NerdDinner eBook. I love the idea of having all my validation in the core class files (as a partial class).
The validation I'm performing is this:
Min value - make sure strings are at least a certain length
Max value - make sure strings are under a maximum length (based on field properties in the DB)
int checks - make sure integer fields can be correctly parsed to int
file extension - make sure the uploaded file extensions are of the correct type
My question is, what are the typical validation checks you make in your web apps? Maybe I'm completely overlooking something. ;)
Thanks in advance!
You should try to use existing frameworks as much as possible for validation. Writing a comprehensive validation library is a lot of hard and time-consuming work. It's one of those things that are best left to a team of people dedicated to developing it such as the jQuery validation plugins and projects like that. There are a lot of really nice validator libraries out there already that could save you a lot of time and effort.
There is an MVC validator toolkit project on codeplex you may find helpful. CodeProject has a tutorial on it if you want to read more into it. You can also check out xVal, as one of the commenters mentioned.
If you have a specific reason you need to write validation in-house, or you aren't convinced by what I said above, a few that I find useful are:
Required field validation, obviously. You might already have this by just checking for minimum length in your fields.
Generic regular expression validation. Make sure you have some way to perform this kind of validation generically. This will help you in case there is some specific field that needs a unique form of validation found no where else in your site. Make sure your API is flexible enough to add specific regular expression based validation.
Email. You'll need this.
Phone numbers. These can be tough because of all the forms they can come in (all numeric, sometimes with alpha characters, sometimes international numbers that follow different formats)
Dates & times are important also, however you should consider using some sort of date/time picker to reduce the possibility of error by not allowing the user to type a value.
Make sure you include validation capabilities for non-textbox related fields, such as drop-down lists, radio buttons, check boxes, etc. I've forgotten these in the past just out of oversight, but they do become important.
Matching fields. For example, when confirming a password, both fields should match. This won't be used in just one page. Think about password resets, administrative pages, user control panels, etc.
Although somewhat complex, you might also want to include sequence validation. For example, perhaps some options on your site require you to select other options first. Another example is that certain options should only be selectable if you first choose some other combination of options. This is something that you may not be able to include in a generic API, but it's something to think about.
You'll want to check for SQL injection, XSS, and CSRF. You can use these tools for Firefox to help you test those. Then there are also things like making sure that the username doesn't equal the password, login throttling, etc. Validating your CSS and XHTML isn't bad either, though I don't think that's quite what you meant.
In addition to what others have mentioned, don't forget to validate items that depend on one another. That is, consistency of input values. If the user enters a maximum and a minimum, for example, don't just check the two values independently against their legal max and min, but also check them against each other to ensure that the values entered are logically consistent.
For hostnames, you may want to validate that DNS returns an IP address. If it does not, let the user know but don't necessarily reject the hostname for this reason. Maybe the user is pre-configuring something that doesn't exist yet. It depends on the specific application.
That is, in addition to syntactic validity, you can also check that the values entered are meaningful and consistent with each other.
Another thing you can do if you go all out is to only allow digits to be entered in numeric fields, only allow digits and "-" in credit card or phone number fields, and so on.
And always, always allow the user to enter input in the most familiar format, even if you later have to strip out extraneous data. For example, let the user (but don't require the user to) enter a phone number is 1-800-555-1212 even if you later strip out the "-" characters.
Not really sure what this has to do with asp.net-mvc but...
I always try to avoid over-validating (obviously you need to do the simple sanity stuff to make sure there are no db errors). It is a field by field decision according to your business rules. Some fields will need to have strict validation rules, like a credit card number. But just always think about how the validation will server the user. There is rarely a need for the regex to match all possible email addresses - it is really annoying when a site won't allow + signs in your email. In most cases, your app will be just fine if you let people put in phone numbers how they want. And always second guess yourself when you're about to put a required rule on a field.
I recommend the entlib validation application block for a easy to use and extend framework.