javascript - What HTML tags would be considered dangerous if stored in SQL Server? - Stack Overflow

admin管理员组

文章数量:1334162

Considering issues like CSRF, XSS, SQL Injection...

Site: ASP, SQL Server 2012

I'm reading a somewhat old page from MS: .aspx#paght000004_step4

If I have a parametrized query, and one of my fields is for holding HTML, would a simple replace on certain tags do the trick?

For example, a user can type into a WYSIWYG textarea, make certain things bold, or create bullets, etc.

I want to be able to display the results from a SELECT query, so even if I HTMLEncoded it, it'll have to be HTMLDecoded.

What about a UDF that cycles through a list of scenarios? I'm curious as to the best way to deal with the seemingly sneaky ones mentioned on that page:

Quote:

An attacker can use HTML attributes such as src, lowsrc, style, and href in conjunction with the preceding tags to inject cross-site scripting. For example, the src attribute of the tag can be a source of injection, as shown in the following examples.

<img src="javascript:alert('hello');">
<img src="java&#010;script:alert('hello');">
<img src="java&#X0A;script:alert('hello');">

An attacker can also use the <style> tag to inject a script by changing the MIME type as shown in the following.

<style TYPE="text/javascript">
  alert('hello');
</style>    

So ultimately two questions:

1. Best way to deal with this from within the INSERT statement itself.
2. Best way to deal with this from code-behind.

Considering issues like CSRF, XSS, SQL Injection...

Site: ASP, SQL Server 2012

I'm reading a somewhat old page from MS: https://msdn.microsoft./en-us/library/ff649310.aspx#paght000004_step4

If I have a parametrized query, and one of my fields is for holding HTML, would a simple replace on certain tags do the trick?

For example, a user can type into a WYSIWYG textarea, make certain things bold, or create bullets, etc.

I want to be able to display the results from a SELECT query, so even if I HTMLEncoded it, it'll have to be HTMLDecoded.

What about a UDF that cycles through a list of scenarios? I'm curious as to the best way to deal with the seemingly sneaky ones mentioned on that page:

Quote:

An attacker can use HTML attributes such as src, lowsrc, style, and href in conjunction with the preceding tags to inject cross-site scripting. For example, the src attribute of the tag can be a source of injection, as shown in the following examples.

<img src="javascript:alert('hello');">
<img src="java&#010;script:alert('hello');">
<img src="java&#X0A;script:alert('hello');">

An attacker can also use the <style> tag to inject a script by changing the MIME type as shown in the following.

<style TYPE="text/javascript">
  alert('hello');
</style>    

So ultimately two questions:

1. Best way to deal with this from within the INSERT statement itself.
2. Best way to deal with this from code-behind.

• javascript
• asp
• sql-server
• security
• database-security

Share Improve this question Follow asked Apr 27, 2015 at 22:02 user1447679user1447679 3,27077 gold badges3838 silver badges7676 bronze badges 2

• encode your strings before storing it into the db – Sushil Commented Apr 27, 2015 at 22:19
• I suggest using the HTML Agility Pack to help parse your HTML, and you should sanitize on output not input. – Dave Commented Apr 27, 2015 at 22:27

Add a ment  | 

4 Answers 4

Sorted by: Reset to default 8

1. Best way to deal with this from within the INSERT statement itself.

None. That's not where you should do it.

2. Best way to deal with this from code-behind.

Use a white-list, not a black-list. HTML encode everything, then decode specific tags that are allowed.

It's reasonable to be able to specify some tags that can be used safely, but it's not reasonable to be able to catch every possible exploit.

What HTML tags would be considered dangerous if stored in SQL Server?

None. SQL Server does not understand, nor try to interpret HTML tags. A HTML tag is just text.

However, HTML tags can be dangerous if output to a HTML page, because they can contain script.

If you want a user to be able to enter rich text, the following approaches should be considered:

• Allow users (or the editor they are using) to generate BBCode, not HTML directly. When you output their BBCode markup, you convert any recognised tags to HTML without attributes that contain script, and any HTML to entities (& to &, etc).
• Use a tried and tested HTML sanitizer to remove "unsafe" markup from your stored input in bination with a Content Security Policy. You must do both otherwise any gaps (and there will be gaps) in the sanitizer could allow an attack, and not all browsers full support CSP yet (IE).

Note that these should be both be done on point of output. Store the text "as is" in your database, simply encode and process for the correct format when output to the page.

Sanitize html both on the client and on the server before you stuff any strings into SQL.

Client side: TinyMCE - does this automatically CKEditor - does this automatically

Server side: Pretty easy to do this with Node, or the language/platform of your choice.

https://www.realwebsite.

the link above shows www.realwebsite. while it actually takes you to www.dangerouswebsite....

<a ' href="https://www.dangerouswebsite."> https://www.realwebsite. <'/a>
do not include the random ' in the code I put it there to bypass activating the code so you can see the code instead of just the link. (btw most websites block this or anything if you add stuff like onload="alert('TEXT')" but it can still be used to trick people into going to dangerous websites... (although its real website pops up on the bottom of your browser, some people don't check it or don't understand what it means.))

本文标签： javascriptWhat HTML tags would be considered dangerous if stored in SQL ServerStack Overflow