Every journey starts with a first step:
Build Your First ASP Application in MS Active Server Pages
July 05, 2002
HTMEncode
You might ask, what the heck is that and what does it do? Well, for this next quickie I will show you a simple way to prevent visitors from entering javascript or most any other code into you forms that have malicious intent. Most of this code is placed by people who want to see how well your forms hold up under simple "hacking" techniques. Others are ligitimately trying to bring down your Web server and create undue work for the administrators. Either way. HTMLEncode is a server-side function in ASP that prevents this from happening.
Let's examine a simple guestbook form theoretically, and what might happen if you do not HTMLEncode the input values:
Your basic guestbook usually contains several fields or text input areas for visitors to insert their name, email addy, homepage, and a brief rant/rave about your web site. Once the visitor enters this information they will click on submit or send to have it inserted into a database (we will be talking databases here but this can apply to XML or other flat files). The visitors information is then returned via the database back to the browser so everyone can see their information. This is all done via ASP or some other server-side scripting language (we will be talking about ASP here).
Now malicious Joe Schmoe has entered a javascript into the message part of the guestbook and has submitted it to the database. This script tells the browser to endlessly create new popup windows in the visitors browser. Every time a new visitor comes to look at your guestbook the script is ran client side as javascript. Very annoying :( So what can you do? First, you can clean the database out manually so the entry is no longer there and hope he doesn't come back... or you can recode your application to make sure that any characters submitted via the ASP page is HTMLEncoded. HTMLEncode means that each text value entered into the form is encoded server-side before entering into the database. For example, the HTMLEncode version of the "&" symbol is &#amp; many HTML coders know this already and can understand what the encoding does. It takes non-text/extended characters such as the "<", ">", "&", and encodes them to HTML. The "<" becomes &#lt;, the ">" becomes &#gt;, etc. The browser knows to display them in a recognizable form for the viewer.
Now for how it is done on the ASP page:
Let's assume that there are 3 fields you are asking folks to fill out:
Name, Email, and Message.
USER_NAME = Server.HTMLEncode(request.Form ("USER_NAME"))
USER_MAIL = Server.HTMLEncode(request.Form ("USER_MAIL"))
USER_MESSAGE = Server.HTMLEncode(request.Form ("USER_MESSAGE"))
The ASP script, just before INSERTing the values into a database, should have the Server.HTMLEncode before the request.form function. This will encode the values from the Form. At this point you can INSERT them anywhere (just keep that to yourself) and they will be safe for displaying at a later time.
Some reference links for using HTMLEncode:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q259352
http://www.w3schools.com/asp/met_htmlencode.asp
You might ask, what the heck is that and what does it do? Well, for this next quickie I will show you a simple way to prevent visitors from entering javascript or most any other code into you forms that have malicious intent. Most of this code is placed by people who want to see how well your forms hold up under simple "hacking" techniques. Others are ligitimately trying to bring down your Web server and create undue work for the administrators. Either way. HTMLEncode is a server-side function in ASP that prevents this from happening.
Let's examine a simple guestbook form theoretically, and what might happen if you do not HTMLEncode the input values:
Your basic guestbook usually contains several fields or text input areas for visitors to insert their name, email addy, homepage, and a brief rant/rave about your web site. Once the visitor enters this information they will click on submit or send to have it inserted into a database (we will be talking databases here but this can apply to XML or other flat files). The visitors information is then returned via the database back to the browser so everyone can see their information. This is all done via ASP or some other server-side scripting language (we will be talking about ASP here).
Now malicious Joe Schmoe has entered a javascript into the message part of the guestbook and has submitted it to the database. This script tells the browser to endlessly create new popup windows in the visitors browser. Every time a new visitor comes to look at your guestbook the script is ran client side as javascript. Very annoying :( So what can you do? First, you can clean the database out manually so the entry is no longer there and hope he doesn't come back... or you can recode your application to make sure that any characters submitted via the ASP page is HTMLEncoded. HTMLEncode means that each text value entered into the form is encoded server-side before entering into the database. For example, the HTMLEncode version of the "&" symbol is &#amp; many HTML coders know this already and can understand what the encoding does. It takes non-text/extended characters such as the "<", ">", "&", and encodes them to HTML. The "<" becomes &#lt;, the ">" becomes &#gt;, etc. The browser knows to display them in a recognizable form for the viewer.
Now for how it is done on the ASP page:
Let's assume that there are 3 fields you are asking folks to fill out:
Name, Email, and Message.
USER_NAME = Server.HTMLEncode(request.Form ("USER_NAME"))
USER_MAIL = Server.HTMLEncode(request.Form ("USER_MAIL"))
USER_MESSAGE = Server.HTMLEncode(request.Form ("USER_MESSAGE"))
The ASP script, just before INSERTing the values into a database, should have the Server.HTMLEncode before the request.form function. This will encode the values from the Form. At this point you can INSERT them anywhere (just keep that to yourself) and they will be safe for displaying at a later time.
Some reference links for using HTMLEncode:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q259352
http://www.w3schools.com/asp/met_htmlencode.asp
Subscribe to:
Posts (Atom)