General information
Forum:
Microsoft SQL Server
Environment versions
SQL Server:
SQL Server 2005
Hello Naomi,
you don't have to clean the database, to ensure that no malicious <script> tags can be embedded into your pages
you have to encode the data before output.
so instead of
Response.Write(databasereader.GetString(1));
you write
Response.Write(HttpUtility.HtmlEncode(databasereader.GetString(1)));
this way the content of the database does not matter, everthing is html encoded and will just be displayed as plain text.
p.s.: the UT is also not protected
<script>alert('Hello World');</script>
<script>script>alert('Hello World');
Regards
Christian
Previous
Next
Reply
View the map of this thread
View the map of this thread starting from this message only
View all messages of this thread
View all messages of this thread starting from this message only