EntryDate attribute in ASP. NET

I have not encoded the EntryDate attribute in the previous section. There are two reasons: When the EntryDate attribute is displayed on a page, we do not need to encode this attribute.

First, a visitor does not enter the value of the EntryDate attribute. The value of this EntryDate attribute is created through your code. In this case, a hacker cannot input malicious code.

Assume that a visitor does enter the value of the EntryDate attribute. Because this EntryDate is stored in the SQL Server database as a DateTime type, a hacker cannot add malicious code to this EntryDate attribute. Therefore, you do not need to worry about encoding this attribute when displaying it.

Generally, when a user enters the content to be submitted through the text box on the form, you should be truly worried about JavaScript injection attacks. For example, you should worry about the display of user names. If you allow a user to create their own user names, A user may potentially add a malicious JavaScript string to their username or add an Image Tag pointing to a pornographic image ).

In addition, you should also worry about hyperlink issues. Because most blog Applications Support anonymous users to submit a hyperlink to their website-when they submit comments to a blog. In this case, a hacker may add malicious JavaScript to the link. The following is a simple example:

 
 

  
  
<a href="javascript:alert('Something Evil!')">Mr. Hacker a> 
 
 

When you click this link, JavaScript code is executed. Of course, nothing malicious will happen in this example. However, you can execute code from the page that can indeed steal form data or cookies.

You can use JavaScript injection attacks to steal cookies. For example, if you store a user's credit card number in a browser cookie, you can inject JavaScript into the page and then use document. use the cookie DOM property to obtain the credit card number.

Note that both ASP. NET form authentication and ASP. NET session Status use cookies on the browser side. Form authentication depends on the authentication ID stored in a cookie named. ASPXAUTH, while session Status uses a cookie named ASP. NET_SessionId. If you can steal these cookies, you will be able to mimic legitimate website users and steal user session status information.

Fortunately, Microsoft has taken necessary preventive measures in advance to make it difficult to steal the form authentication and session Status cookies. Both types of cookies belong to the HttpOnly type. An HttpOnly cookie is a special type of cookie. You cannot access such data through the client code, but can only read the HttpOnly cookies from the web server.

Browsers such as Microsoft Internet Explorer, Firefox, and Opera provide support for HttpOnly cookies. Unfortunately, Safari and some older browsers have not yet provided such support. Therefore, you must carefully encode the data entered by all users in HTML; otherwise, a malicious hacker may steal form authentication and session Status cookie data.

The purpose of this article is to emphasize that security issues must be emphasized when developing Based on ASP. net mvc framework. As described in this article, JavaScript injection attacks are the most frequently used types of security attacks. Most web developers did not spend enough time to consider this issue. Therefore, I hope this article will remind you that when displaying data in an MVC view, you should always encode the data collected by your users. The above describes the EntryDate attribute in ASP. NET.

1. Introduction to ASP. net mvc Framework
2. Introduction to MvcAjaxPanel in ASP. NET MVC
3. ASP. net mvc Framework to save UpdatePanel
4. Use ASP. net mvc source code to find a solution
5. ActionInvoker of ASP. net mvc Framework