Explanation:
This article will not talk about how to create a complete system of the wiki. Rather, We will discuss how to make a secure page in a wiki application with help of ASP .NET 2.0.
The basic entity of a Page is a Text. How it would be possible for us to create Text in a secure way? What is insecure about entring or saving a Text?
There are cases when some poople have good programming skills and enough time. They can even distroy our sysetem. Why they do this? We won't discuss in here, but we will try to tackle the risks.
What ever a user enters is displayed in the browser. There is possible that some one enter some code instead of what he was suppose to share.
In HTML all codes are Rapped in block . If it is written the same way on the page then page reads it like some code block. will show a popup window with greeting your all users with a nice "Hi". Which actually, you did not intend to do. Similraly, some code would be even able to close the pages itself or some code even can distroy your DataBase system.
How to secure your DataBase we will put it to another discussion but let us see what magic can save us from above bugger.
When you saving the Text to you DataBase, do like this;
string strMessage=Context.Server.HtmlEncode(TextBoxMessage.Text);
Now, you can pass "strMessage" to your Fucntion which save "Message" to the DataBase. This Above code will change the into <script> alert("hi")</script>
When we want to display the Code back to the page then we will do like this;
<asp:Label ID="LabelMessage" runat="server" Text='<%# Context.Server.HtmlDecode(Eval("Message").ToString())%>'> asp:Label>
Here, Eval("Message") is our DataTable Field.
There could be a Different senario. May be you dont want to save the "Message" to a DataBase but you want to write it directly to the page. Then we have to define a Function which will take care of decoding. Define a function in the codebehind.
string decodeMessage(){
LabelMessage.Text=Context.Server.HtmlDecode(TextBoxMessage.Text);
}
The above function executes when demanded. We can access the same method in our .aspx like this;
<asp:Label ID="LabelMessage" runat="server" Text='<%# Context.Server.HtmlDecode(Eval("Message").ToString())%>'> asp:Label>
Now, for example you want to change the usual tags to normal. We will define a static function. This way it will be easy for us to access it from the .aspx embeded code.
publicstatic string DecodeTags(string encodedHTML)
{
StringBuilder strbuilder = new StringBuilder(encodedHTML);
strbuilder.Replace("<b>", "");
strbuilder.Replace("</b>", "");
strbuilder.Replace("<i>", "");
strbuilder.Replace("</i>", "");
strbuilder.Replace("<p>", "" );
strbuilder.Replace("</p>", " ");
strbuilder.Replace("<u>", "");
strbuilder.Replace("</u>", "");
strbuilder.Replace("<br>", "
");
strbuilder.Replace("</br>", "");
strbuilder.Replace("<br/>", "");
return strbuilder.ToString();
}
This code will replace our encoded HTML tags to a readable code. To access the function from .aspx just access like other static functions. So, the good thing about Static functions is we access it with-out initialising ( i.e we dont need to create new object).
|