Hi,

I am using the 1.0.2005.1.final version and have a question about security. When for some reason strange or malicious characters have found their way into my database in a text column, I noticed that LLBLGen does not HTML encode this bad column value when databinding the corresponding table to a datagrid. This can lead to weird results in the HTML display of a page, and even worse, to script being executed on that page. Now I know that it is my responsiblity to keep malicious data out of my database, but for argument's sake (and thinking of defense in layers), shouldn't LLBLGen do HTML encoding on a databind?

Thanks in advance for an answer.

Kind regards, Neeva

Additional information: maybe LLBLGen does HTML encoding when binding to entities. I'm my case I am talking about a GetMultiAsDataTable call. I can imagine I then have to do it myself. But in general I am curious when LLBLGen does HTML encoding and when not.

I am using VS.NET 2003 and .NET 1.1 by the way.

Thanks, Neeva

What if somebody has an html editor in his application, and he wants to store the html output in the database?

Then I have to solve that myself. My point is that it would be nice to know where LLBLGenPro is protective from a security point of view and where not. So that I can determine in which scenarios I must take action to make my code secure.

Could you please provide this information?

Thanks!

Neeva wrote:

Then I have to solve that myself. My point is that it would be nice to know where LLBLGenPro is protective from a security point of view and where not. So that I can determine in which scenarios I must take action to make my code secure.

Could you please provide this information? Thanks!

I have no idea how encoding HTML is of any relevance to 'security'... Could you explain that to me please?

LLBLGen Pro doesn't do any encoding, encrypting etc. for you, it stores the data as you give it to it and it pulls the data from the db as it's stored inside the db. What you do with the data after that is up to you.

Don't forget that LLBLGen Pro is not just a web application tool. It can be used in any data access scenario. Why not just apply HTML encoding on the property to which you are binding:

myTextbox.Text = Server.HtmlEncode(myObject.SomeProperty);

Hi Chester,

That is a valid point you're raising. For a textbox that's easy to do, but for a datagrid bind it is not. Would your conclusion be that I have to build HTML encoding into my datagrid?

Regards, Neeva

To Otis (just saw your post): When you HTML encode text that comes from a database or from user input, the HTML code and embedded JavaScript code is written as plain text to the screen and not interpreted by your browser as executable code. This prevents cross site scripting vulnerabilities. This really is a major issue in web application security nowadays.

Thanks for making clear that I have to supply this functionality myself. As Chester pointed out, LLBLGen is not only for web apps, so it is kind of logical LLBLGen does not provide this.

Regards, Neeva

Hi,

Maybe you can write a custom projector or a type Converter, which will do the job.

Just my 2 cents