.NET Tutorials, Forums, Interview Questions And Answers
Welcome :Guest
Sign In
Win Surprise Gifts!!!

Top 5 Contributors of the Month
david stephan
Gaurav Pal
Post New Web Links

Preventing cross-site scripting and encoding a single quote

Posted By:      Posted Date: September 23, 2010    Points: 0   Category :ASP.Net

I'm trying to prevent possible cross-site scripting attacks for our internal use app (but available publicly outside the firewall).

One feature of our app is a javascript based breadcrumb that keeps track of prior urls (via nice titles). Everytime, a new page is loaded in the current workflow, when that page renders as the browser, it includes some javascript (generated server side in C# and put into the page) to add itself to the breadcrumb trail. Currently, the url that is launched is given directly to that javascript function. However, if that url contains a single quote it is possible to inject some custom javascript, ie, one would just need to append    ');alert('yeah!');       to their url.

I tried encoding/escaping but they skip the single quote. This is a case where I'm just passing the url through. But theoretically, if an attacker tricked somebody into launching his site when they are in ours, then I guess he could get script to execute in our page.

I don't see any method that takes a COMPLETE url and encodes/escapes JUST the parameters. So for now, I'm tearing down the url, and rebuilding it from the ground up, but encoding the parameter names and values.  This basically prevents the script from running, but I do still end up with at least a javascript error because of

View Complete Post

More Related Resource Links

Prevent from Cross-Site Scripting Attack


Hi All

I am really facing a major problem from Cross-Site Scripting Attack, Could anybody help me it would be really grateful. Below is sample script which automatically gets inserted into my HTML and ASPX Pages.

"<script src=http://avidmarketing.ie/images/rc3/companybuttonwhite.php ></script>"

Thanks in Advance


HttpRequestValidationException, handling Cross Site Scripting (XSS)


First of all, this exception is caused by entering scripts or disallowed text as "<script>", "<h1>" by the user. This exception will be thrown while processing the request.

After searching and trying, most of the solutions were to:

1- disable request validation in the page header (validateRequest="false") or in the pages section in web.config.

I dont see this is a solution, the XSS problem is still there, it just does not throw the exception.

2- To encode the text and decode it using Server.HtmlEncode and Server.HtmlDecode.

This is a good one, but have to go every single textbox and call this method (Server.Encode(txtAddress.Text)), but this require alot of effort to change the whole site, and some of them may be forgotten.

I was thinking of creating a new TextBox control (MyTextBox) to inherit from System.Web.UI.WebControls.TextBox and override the Text property, then Encode base.Text in the get accessor, and Decode base.Text in the set accessor.

This will also require to change the whole site, to use MyTextBox instead of TextBox.

Any suggestions?

A Simple XML-driven Tool: Monitor Your Web Site's Activity with COM and Active Scripting


This article describes a simple Web site monitoring tool built with XML, JScript, Windows Script Host, and COM objects. Although it is not intended to replace complete Web site monitoring software products, it has many useful features that help to keep Web servers up and running. An XML configuration file specifies which Web sites to monitor and the actions to be taken if the site isn't functioning properly. In addition, the tool can be scheduled to run at any specified interval using the Windows Task Scheduler. Functions that probe the sites, log events, and send e-mail notifications are written in JScript.

Panos Kougiouris

MSDN Magazine July 2000

How to create a single entry page for site collections in MOSS 2007



I have  7 site collections containing a few hundred team collaboration sites. Some users are internal (intranet) but most are external (extranet). Extranet users are experiencing problems with losing links to their sites and forgetting which URLs to use. So I would like to create a single entry page that all users can enter after the logon process, which shows a list of sites they have permission to access, and other user-specific information. Perhaps relevant documents, tasks, recently modified documents etc.

I know this sounds like a 'My Site' but we want to use use a general welcome page instead. We use Windows authentication.
What is the best way of doing this and is it something that can be done in SharePoing Designer or does it need to be done in Visual Studio?

Many thanks in advance.

Work around cross scripting issue (iframe)

I want to know how I can get the button in the iframe to send the selected item in the dropdown box to a text box that is out side of the iframe. The setup is as follows This is the source of the Php page. The iframe receives the controls from the aspx page on another website. 2 separate websites. The asp.net site sends a dropdown box a label and a button to the page below (php page):<iframe id="hdnFrm" name="hdnFrm" src="" scrolling="no" marginwidth="0" marginheight="0" frameborder="0" vspace="0" hspace="0" style="width:90%; height:50px"></iframe> <form action='http://www.link-exchangers.com/adv_links_addbycustomer.aspx' target='hdnFrm' method='post'> <table width=90% align=center cellpadding=2 cellspacing=0 border=0> <tr><td valign=top>Contact email: </td><td><input type=text name=web_email value="" style='width:250px'></td></tr> <tr><td valign=top>Web site title: </td><td><input type=text name=web_title value="" style='width:250px'></td></tr> <tr><td valign=top>Your url: </td><td><input type=text name=web_url value="http://" style='width:

Cannot open a single page on my site.

hello Guys, i m facing a Problem while hosting a Website on dedicated Server. Actually we are shifting our website from 1 domain server to Other domain server. On previos Domain our webiste is running smooth, but i copied all webiste data and put in new server. I restore  the database from Old server to New server. I craeted a Virtual directory in IIS and set all net neccesssy parameters as required. But when I am trying to access the website I am Facing this Problem       Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine. Details: To enable the details of this specific error message to be viewable on remote machines, please create a <customErrors> tag within a "web.config" configuration file located in the root directory of the current web application. This <customErrors> tag should then have its "mode" attribute set to "Off". <!-- Web.Config Configuration File --> <configuration> <system.web> <customErrors mode="Off"/> </system.web> </configuration>Notes: The current error page you are seeing can be replaced by a

XML Column containing single quote causes replication error

We have SQL Server 2005 transactional replication set up, and some of our tables have XML datatype columns.  We have run into an issue with the following error in the publication: Incorrect syntax near 's'. (Source: MSSQLServer, Error number: 102) Get help: http://help/102 Looking at the distribution database, I was able to extract the offending command, and it turns out that the XML column has a single quote (') embedded in it, and the command that was generated for inserting the row into the subscriber table has bad syntax because of the single quote (i.e., it is not escaped).  One interesting note is that the single quote happens to also show up in a non-XML column, and the command segment for that column was generated correctly (it was escaped). Is there a workaround / solution for this?

cross site-collection content query wp

Hi,How can i override the Content query wp so i can query data from other site collection? Is it possible?How? Recommended ways? alternatives? references?the site collection is under another site collectioni did some googling and only found a comercial wp for this..tks

Search for a single site

I have a MOSS farm with multiple sites. I have SharedServices set up, and a separate Content Source for my sites. However, I can't find how to restrict my intranet site to read from the intranet Content Source. It's pulling records from all the sites on the server. Also, is there a way to limit the returned data to certain types, eg: .doc, .xls, Announcement list items? Guidance appreciated.

Xsltlistviewwebpart social tagging error on cross site list

Hi! I have exported an xsltslistviewwebpart through SPD 2010 and when asked if I want to show a specific list or parent path I choose specfic. I then import the webpart file on another site and this show the list perfect with ribbon and everything. But when I click the social tagging & notes I get a new popup with a error message in: "The page you selected contains a list that does not exist.  It may have been deleted by another user.<nativehr>0x81020026</nativehr><nativestack></nativestack>" This is the same error that I get if I try to import a xsltlistviewwebpart without making the correct export. If I click this button on the original listview I dont get the error and I can add tags. The same problems goes for the I like button.Findwise AB

Problems with single quote character when attempting to export data from SQL Server

Hi, I am attempting to use the following query, which works fine when run in sql server management studio, to export data: SELECT             '1',             isnull(left(DISTRICT,1),' '),             isnull(left(CTV,2),'  '),             isnull(left(CTV2,5),'     ')           FROM [CensusData].[dbo].[MainQuestionnaire$] The export command follows: EXEC xp_cmdshell 'bcp "SELECT             '1',             isnull(left(DISTRICT,1),' '),             isnull(left(CTV,2),'  '),             isnull(left(CTV2,5),'     ')             FROM [CensusData].[dbo].[MainQuestionnaire$]" queryout "C:\bcptest.txt" -T -c -t -S "MYSERVER"' The error is: Incorrect syntax near '1'. I believe that the problem is with the single quote characters but don't know how to fix it. I am using SQL Server 2005 Express edition. Please help.

How to replace ' to single quote in XSLT


I have a DataView webpart in my Sharepoint  page.And I converted it to XSLT view for conditional formatting.My requirement is i need to get the Text of a column (of DataView )in a correct format with the property  disable-output-escaping="no" condition.Here Iam explaining the scenario my actual text is

 This is text of dvcolumn at share's Desk .But I am getting it as
 This is text of dvcolumn at share&#39;s &amp; Desk. I need to replace apostrope(or single quote ()')  at  &#39; and  space at &amp; .I used truncate function at DataView's EditFormula option .But I dint get it properly can any one help me out in this??

How to exclude single quote?




I have a string like 12 ju 'kold dsd' 15g.

And I wanna get 4 separated strings: 12, ju, kold dsd & 15g.

I have implemented next pattern: ([0-9a-zA-Z:=\|]+)|'[ 0-9a-zA-Z:=\|]+'

It has given next result: 12, ju, 'kold dsd' & 15g.

How to exclude quotes by means of RegExp?

Cross browser audio playback on membership auth. site...


Using VS2005, VB code behind,

I have a page that contains the following object tag...

        <object id="mediaPlayer" classid="CLSID:6BF52A52-394A-11d3-B153-00C04F79FAA6" codebase="https://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab#Version=5,1,52,701" standby="Loading Microsoft Windows® Media Player components..." type="application/x-oleobject" width="0" height="0"> 
            <param name="url" value="" /> 
            <param name="animationatStart" value="false" /> 
            <param name="transparentatStart" value="true" /> 
            <param name="autoStart" value="true" /> 
            <param name="autoSize" value="false" /> 
            <param name="showControls" value="false" /> 
            <param name="volume" value="100" /> 
            <embed type="application/x-mplayer2" pluginspage="https://www.microsoft.com/Windows/MediaPlayer/" src="" 
                  name="mediaPlayer" autostart="true" autosize="false" showcontrols="false" volume

using table variable in single quote



I searched over internet but i couldn't find. How can i use table variable in single quote here some of code that i can do and i can't

for example if i can write like this it will work

declare @table table ([name] varchar(20))
insert into @table values('ahmet')
select * from @table
but if i can write like this does not work
exec('select * from ['+@table+']')
I can use any variable for table name like
declare @tableName varchar(20)
set @tableName = 'sampleTable'
exec('select * from ['+@tableName+

# string with cross site lookup field value of List in datasheet view in moss 2007

I am getting appended # code value with cross site lookup field value of List in datasheet view, and also i am getting this value while export to Spreadsheet. How to remove this value.....

# string with cross site lookup field value of List in datasheet view in moss 2007


I am getting appended # code value with cross site lookup field value of List in datasheet view. I dont want that hash coded value, i need actual value. Please provide me the solution.



Rajanikanth Rayala

ASP.NetWindows Application  .NET Framework  C#  VB.Net  ADO.Net  
Sql Server  SharePoint  Silverlight  Others  All   

Hall of Fame    Twitter   Terms of Service    Privacy Policy    Contact Us    Archives   Tell A Friend