I'm trying to understand why do I need to use
XSS library when I can merely do
HtlEncode when sending data from server to client ...?
For example , here in Stackoverflow.com - the editor - all the SO tem neads to do is save the user input and display it with html encode.
This way - there will never going to be a HTML tag - which is going to be executed.
I'm probably wrong here -but can you please contradict my statement , or exaplain?
For example :
I know that IMG tag for example , can has
onload which a user can do malicious scripts , but the IMG won't event run in the browser as IMG since it's
<img> and not
So - where is the problem ?
I want to convert
& to &,
" to " ect.Is there a function in c# that could do that without writing all the options manualy?
I am really confused about whether or not I should be using Microsoft's AntiXSS library to encode my HTML, instead of HttpUtility's HTMLEncode method.
Looking here, the answer would be a resounding yes, and looks of good reasons provided, but then you go to the Codeplex page and see lots of bad reviews, with basically everybody saying it is broken, and I see it hasn't been updated in two years.
What's going on here? Has HttpUtility's HTMLEncode method been improved making it as secure? Has this library been replaced with something else?
What should you be using in 2014 to securely encode HTML in .net?
I am using tFPDF to generate a PDF. The php file is UTF-8 encoded.I want
© for example, to be output in the pdf as the copyright symbol.
I have tried
htmlspecialchars_decode. When I take the string I am trying to decode and hard-code it in to a different file and decode it, it works as expected. So for some reason it is not being output in the PDF. I have tried output buffering. I am using
DejaVuSansCondensed.ttf (true type fonts).
Link to tFPDF: http://fpdf.org/en/script/script92.php
I am out of ideas. I tried double decoding, I checked everywhere to make sure it was not being encoded anywhere else.
I know that this has been discussed many times, but I have a different type of question. I am seeing an error in my event viewer "A potentially dangerous Request.Form value was detected from the client (content=..."
What I do NOT want to do is to turn off validation such as this post:A potentially dangerous Request.Form value was detected from the client
So I do NOT want to do these:
The issue itself is that these errors are coming from clients usually in groups of about 10. What happens is that a certain IP address will send these type of messages for a few minutes, and then stop, and then a different IP address will start the attack again in a few hours. To me it seems that a virus has taken over these computers and the virus is using them to attack my site.
The strange part is that the form in question is an error page to catch when user goes to a page that is not found (404 error). The "virus" is trying to go to a guestadd.asp page, which I don't have. There is no input field with the name "content", so am confused as how to validate a non-existing field. (Unless I am just missing it).
My question is how can I prevent this so that it does not allow it to submit? What am I doing wrong? I am able to block any info coming out, but this is quite annoying, and I don't want to be vulnerable to attack. I can post code if requested.