Encode User Input Before Outputting it to a Page — Or Else!

Hot Tip

LANGUAGE: C#

ASP.NET VERSIONS: 1.0 | 1.1

EncodeUser Input Before Outputting it to a Page - Or Else!

Turnbad user input into good ... and prevent your Web server from being hacked.

By JeffProsise

Here'san extraordinarily simple ASP.NET Web page - one that displays a personalizedgreeting consisting of "Hello" followed by a name typed by the user when theClick Me button is clicked. Despite its simplicity, this page suffers from apotentially fatal security flaw that can put cookies, your Web server, and evenother computers behind your firewall at risk. Can you spot the flaw?

              RunAt="server" />            

void OnSubmit(Object sender, EventArgs e)

{

    Output.Text = "Hello, " +Input.Text;

}

If youguessed that the flaw has to do with the fact that the code echoes raw userinput to the page, you guessed correctly. A Web page should never, under ANYCIRCUMSTANCES, echo raw, unfiltered user input to the page. Why? Because itleaves that page susceptible to cross-site scripting (XSS) attacks. Todemonstrate, run the page and type the following text into the text box:

Clickthe Click Me button and a message box will pop up in your browser. The problem?When you echoed a script block to the page, the browser interpreted it as apiece of code that needs to be executed. This script is benign. But malicioususers - read: hackers - can enter scripts that are far from benign. Even a pageas simple as this one can't afford to assume that all users have honorableintentions. (Note: If you run this page with ASP.NET 1.1, you'll need to add an<%@ Page ValidateRequest="false" %> directive to the top of thepage to see the message box.)

Thesolution is simple. Before echoing user input to a page, use Server.HtmlEncodeto HTML-encode it. The following page is functionally equivalent to theprevious one, but because it HTML-encodes the text typed by the user beforeoutputting it to the page - turning < and > characters, for example, into< and > - it's impervious to XSS attacks:

              RunAt="server" />            

void OnSubmit(Object sender, EventArgs e)

{

    Output.Text = "Hello, " +Server.HtmlEncode (Input.Text);

}

Remember:user input is inherently evil and should be treated as such. Server.HtmlEncode turnsbad user input into good and might just prevent your Web server from beinghacked - or worse.

Jeff Prosise isauthor of several books, including Programming Microsoft .NET (Microsoft Press). He also is aco-founder of Wintellect (http://www.wintellect.com), asoftware consulting and education firm that specializes in .NET. Contact Jeffat [email protected].