Death of a Giant

For all who have yet to hear, Robert Jordan died yesterday after a long struggle, surrounded by his loved ones. I had the dubious pleasure of being the first bearer of this news to the local speculative fiction bookshop, and the looks on their faces reflected the one on mine when I first heard.

Without a doubt, he will be sadly missed.

Dragonmount will soon be posting details on where to send condolences. If you do, refrain from asking any questions about the future, just wish them the best in this trying time.

Rest in peace.


Avoiding Cross Site Scripting Exploits (Xss) in Asp .Net 2.0

You’ve probably heard about cross site scripting exploits that hackers have been using to take control of computers for some time now and how they work is this:

A hacker realises that your site uses user input in the page display. This is a common in pages that take user details and such.  If such input isn’t checked, they can enter javascript code as input and when your site displays it back, the browser will execute it as code. This is a particular problem when answers are saved to the database and can be displayed to -other- users, causing their browser to do all sorts of strange things.

Asp .Net 2 helps you solve that problem in a very simple way.

Many common controls now, such as the literal control and the label control – controls commonly used for displaying output to the user – have an attribute “mode”.  This attribute can be set to “Encode” which ensures that any html characters found inside the Text attribute (such as ‘<‘ and ‘>’) that would, if displayed normally, cause the browser to take some action or other, such as running a script, will be output as their percentage character code (an example is %20 for space, often used in filenames in html).  This ensures that script, if entered, will not be run as such.

Not all controls provide this functionality though, so there is another option. Asp .Net 2.0 provides a HttpUtility class, and one of its methods is the HttpEncode method, which, as above, will render provided text safe for display.

A lot of big sites have been caught by xss errors and they can creep in very easily. These are simple ways to minimize the risk with very little extra work.