StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
primarykey
Id
5753559
data
AcceptedAnswerId
0
AnswerCount
0
ClosedDate
CommentCount
1
CommunityOwnedDate
CreationDate
2011-04-22T08:15:00.673
FavoriteCount
0
LastActivityDate
2011-04-22T08:15:00.673
LastEditDate
LastEditorUserId
0
OwnerUserId
73948
ParentId
5739493
PostTypeId
2
Score
2
ViewCount
0
LastEditorDisplayName
text
Body
There's a few things to consider here. Firstly, you've got <a href="http://www.troyhunt.com/2010/03/request-validation-dotnetnuke-and.html" rel="nofollow">ASP.NET Request Validation</a> which will catch many of the common XSS patterns. Don't rely exclusively on this, but it's a nice little value add. Next up you want to validate the input against a white-list and in this case, your white-list is all about conforming to the expected structure of a URL. Try using <a href="http://msdn.microsoft.com/en-us/library/system.uri.iswellformeduristring.aspx" rel="nofollow">Uri.IsWellFormedUriString</a> for compliance against RFC 2396 and RFC 273: <pre><code>var sourceUri = UriTextBox.Text; if (!Uri.IsWellFormedUriString(sourceUri, UriKind.Absolute)) { // Not a valid URI - bail out here } </code></pre> AntiXSS has Encoder.UrlEncode which is great for encoding string to be appended to a URL, i.e. in a query string. Problem is that you want to take the original string and not escape characters such as the forward slashes otherwise <code>http://troyhunt.com</code> ends up as <code>http%3a%2f%2ftroyhunt.com</code> and you've got a problem. As the context you're encoding for is an HTML attribute (it's the "href" attribute you're setting), you want to use Encoder.HtmlAttributeEncode: <pre><code>MyHyperlink.NavigateUrl = Encoder.HtmlAttributeEncode(sourceUri); </code></pre> What this means is that a string like <code>http://troyhunt.com/<script></code> will get escaped to <code>http://troyhunt.com/&lt;script></code> - but of course Request Validation would catch that one first anyway. Also take a look at the OWASP Top 10 <a href="https://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards" rel="nofollow">Unvalidated Redirects and Forwards</a>.
Tags
Title
singulars
PostAcceptedAnswerId
1. This table or related slice is empty.
PostParentId
1. POAre there any anti-XSS libraries for ASP.Net?
 singulars
 PostTypePostTypeId
 PTQuestion
PostTypePostTypeId
1. PTAnswer
UserLastEditorUserId
1. This table or related slice is empty.
UserOwnerUserId
1. USTroy Hunt
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. This table or related slice is empty.
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
2. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId
1. COAntiXSS will have EncodeUrlPath in beta at the weekend :) But yes, UrlEncode doesn't do what it's named as unfortunately. Nothing I can do about that - it does what the framework function does :)
 singulars
 PostPostId
 PO
 UserUserId
 USblowdart

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.