I’ve set ValidateInput attribute to false for actions that deal with posting comments. I’m using html.encoding by using this syntax <%:... %> to redisplay the comment
I posted the following code in the commentbox, and the comment did get posted as it is with script tags intact but no actual alert. That is acceptable, right?
<script type="text/javascript"> alert("t"); </script>
Now, I know I need to still watch out for URL-related attacks, but for re-displaying input, is this approach safe enough?
Edit: Comment is the only place where I’m even allowing characters like “<“. Most other input boxes are alphanumeric only.
Yes your approach is safe, the fact that you’re using the
<%:means that it doesn’t matter what is stored in the database, the value with be encoded when rendered in the browser, so if you look at the html source of the page that is rendering your comment, you’ll see that the<script...is actually a<script...which won’t be interpreted by the browser as something that needs to be executed.As a side note: Although you should always do what you’re currently doing to make sure these comments are never rendered in the browser verbatim (without encoding them first), the safest way to mitigate risk is to never let them get past your server-side validation in the first place. However there are valid use cases for wanting to save code in your database – so it does depend on your use case (which you haven’t supplied)