Security: Handle ASP.NET Colors with Care

Published 13 December 04 10:40 AM | despos

As Nikhil reports, .NET colors used in the context of ASP.NET applications can become so dangerous to lead you straight to a cross-site script attack. Of course, this can't happen if you use colors through RGB triplets. However, from within ASP.NET pages and controls it is fairly common to manage colors through their HTML representation--actually, a string. Surprisingly, assigning color properties with unfiltered HTML color strings can be as dangerous as outputting unfiltered text to the page. Here's an example (taken from Nikhil's post)

  <asp:TextBox runat="server" id="colorTextBox" />
  <asp:Panel runat="server" id="colorPanel" />
  <asp:Button runat="server" id="okButton" Text="OK" onclick="okButton_Click" />
  <script runat="server">
  void okButton_Click(object sender, EventArgs e) {
      colorPanel.BackColor = Color.FromName(colorTextBox.Text);
  }

Imagine now a hacker types in a piece of script code wrapped by the expression function. 

expression(alert('hi'))

The final HTML for the panel above would be:

<div id="colorPanel" style="background-color:expression(alert('hi'));">

What's expression? It is a proposed CSS function notation introduced with IE50 to support dynamic properties. Basically, it makes any script wrapped by run. That's what really matters in the end... Note that the same won't happen with eval().

What can you do about it? Avoid using Color.FromName, in first place. You can replace it either with ColorTranslator.FromHTML or more in general with the ColorConverter class. Use this

colorPanel.BackColor = ColorTranslator.FromHTML(colorTextBox.Text);

or in alternative this one:

colorPanel.BackColor = ColorConverter.ConvertFromString(colorTextBox.Text);

Both classes validate the input string before they return a Color object. Which one is better? From the security standpoint, they're equivalent. Both catch the invalid input while trying to extract a RGB triplet from the passed string. The error you get is raised during a String-to-Int32 conversion. ColorConverter is more powerful to handle string colors because designed to accept a wider range of input strings.

In summary, this security advice applies to all the cases in which you're setting properties using dynamically specified color strings--textboxes, request params, cookies, and so on. Using colors may configure a cross-site scripting attack; of course, for the attack to work you should have ValidateRequest turned off.

PS: Wow. I just wonder how many other similar holes are there still to be noticed (by white hats...)

Comments

# TrackBack said on December 12, 2004 11:04 PM:
# TrackBack said on December 13, 2004 02:32 AM:
# sonnerie polyphonique said on December 14, 2004 07:15 AM:

verry good

# TrackBack said on December 15, 2004 04:31 AM:
# paul said on December 27, 2004 06:14 PM:

<a href="http://www.mes-sonneries-portable.magikmobile.com">http://www.mes-sonneries-portable.magikmobile.com</a> <a href="http://www.les-sonnerie-portable.magikmobile.com">http://www.les-sonnerie-portable.magikmobile.com</a> <a href="http://www.sonneries-mobiles-40.magikmobile.com">http://www.sonneries-mobiles-40.magikmobile.com</a> <a href="http://www.mes-sonneries-sagem.magikmobile.com">http://www.mes-sonneries-sagem.magikmobile.com</a> <a href="http://www.sonneries-e300.magikmobile.com">http://www.sonneries-e300.magikmobile.com</a> <a href="http://www.sonneries-e310.magikmobile.com">http://www.sonneries-e310.magikmobile.com</a> <a href="http://www.sonneries-k700i.magikmobile.com">http://www.sonneries-k700i.magikmobile.com</a> <a href="http://www.mes-sonneries-portables.magikmobile.com">http://www.mes-sonneries-portables.magikmobile.com</a> <a href="http://www.sonneries-sony-ericsson.magikmobile.com">http://www.sonneries-sony-ericsson.magikmobile.com</a> <a href="http://www.les-sonnerie-hypersound.magikmobile.com">http://www.les-sonnerie-hypersound.magikmobile.com</a> <a href="http://www.les-sonneries-hypersound.magikmobile.com">http://www.les-sonneries-hypersound.magikmobile.com</a> <a href="http://www.mes-sonneries-samsung.magikmobile.com">http://www.mes-sonneries-samsung.magikmobile.com</a> <a href="http://www.sonneries-polyphoniques-hifi.magikmobile.com">http://www.sonneries-polyphoniques-hifi.magikmobile.com</a> <a href="http://www.sonnerie-polyphonique-hifi.magikmobile.com">http://www.sonnerie-polyphonique-hifi.magikmobile.com</a> <a href="http://www.sonneries-k500i.magikmobile.com">http://www.sonneries-k500i.magikmobile.com</a> <a href="http://www.sonneries-logos-hifi.magikmobile.com">http://www.sonneries-logos-hifi.magikmobile.com</a> <a href="http://www.sonneries-poly-40tons.magikmobile.com">http://www.sonneries-poly-40tons.magikmobile.com</a> <a href="http://www.sonneries-sonyericsson.magikmobile.com">http://www.sonneries-sonyericsson.magikmobile.com</a> <a href="http://www.sonneries-e800.magikmobile.com">http://www.sonneries-e800.magikmobile.com</a> <a href="http://www.les-sonneries-philips.magikmobile.com">http://www.les-sonneries-philips.magikmobile.com</a> <a href="http://www.sonneries-myx-4t.magikmobile.com">http://www.sonneries-myx-4t.magikmobile.com</a> <a href="http://www.mes-sonneries-alcatel.magikmobile.com">http://www.mes-sonneries-alcatel.magikmobile.com</a>">http://www.mes-sonneries-alcatel.magikmobile.com">http://www.mes-sonneries-alcatel.magikmobile.com</a> <a href="http://www.mes-sonneries-alcatel.magikmobile.com">http://www.mes-sonneries-alcatel.magikmobile.com</a>">http://www.mes-sonneries-alcatel.magikmobile.com">http://www.mes-sonneries-alcatel.magikmobile.com</a> <a href="http://www.sonneries-alcatel-touch1.magikmobile.com">http://www.sonneries-alcatel-touch1.magikmobile.com</a> <a href="http://www.mes-sonneries-lg.magikmobile.com">http://www.mes-sonneries-lg.magikmobile.com</a> <a href="http://www.sonneries-sgh.magikmobile.com">http://www.sonneries-sgh.magikmobile.com</a> <a href="http://www.sonneries-e700.magikmobile.com">http://www.sonneries-e700.magikmobile.com</a> <a href="http://www.sonneries-t5100.magikmobile.com">http://www.sonneries-t5100.magikmobile.com</a> <a href="http://www.sonneries-3G.magikmobile.com">http://www.sonneries-3G.magikmobile.com</a> <a href="http://www.sonneries-sanyo-s750.magikmobile.com">http://www.sonneries-sanyo-s750.magikmobile.com</a> <a href="http://www.mes-sonneries-motorola.magikmobile.com">http://www.mes-sonneries-motorola.magikmobile.com</a> <a href="http://www.sonnerie-motorola-v500.magikmobile.com">http://www.sonnerie-motorola-v500.magikmobile.com</a> <a href="http://www.sonneries-samsung-z107.magikmobile.com">http://www.sonneries-samsung-z107.magikmobile.com</a> <a href="http://www.les-sonneries-nokia-7610.magikmobile.com">http://www.les-sonneries-nokia-7610.magikmobile.com</a> <a href="http://www.sonneries-z600.magikmobile.com">http://www.sonneries-z600.magikmobile.com</a> <a href="http://www.sonneries-z1010.magikmobile.com">http://www.sonneries-z1010.magikmobile.com</a> <a href="http://www.sonneries-p900.magikmobile.com">http://www.sonneries-p900.magikmobile.com</a> <a href="http://www.sonneries-p910i..magikmobile.com">http://www.sonneries-p910i..magikmobile.com</a> <a href="http://www.sonneries-t610..magikmobile.com">http://www.sonneries-t610..magikmobile.com</a> <a href="http://www.sonneries-v800..magikmobile.com">http://www.sonneries-v800..magikmobile.com</a> <a href="http://www.sonneries-f500i.magikmobile.com">http://www.sonneries-f500i.magikmobile.com</a> <a href="http://www.">http://www.</a> <a href="http://www.sonneries-sagem-mys-7.magikmobile.com">http://www.sonneries-sagem-mys-7.magikmobile.com</a> <a href="http://www.sonneries-alcatel-332.magikmobile.com">http://www.sonneries-alcatel-332.magikmobile.com</a> <a href="http://www.sonneries-alcatel-511.magikmobile.com">http://www.sonneries-alcatel-511.magikmobile.com</a> <a href="http://www.sonneries-alcatel-512.magikmobile.com">http://www.sonneries-alcatel-512.magikmobile.com</a> <a href="http://www.sonneries-alcatel-525.magikmobile.com">http://www.sonneries-alcatel-525.magikmobile.com</a> <a href="http://www.sonneries-alcatel-535.magikmobile.com">http://www.sonneries-alcatel-535.magikmobile.com</a> <a href="http://www.sonneries-alcatel-565.magikmobile.com">http://www.sonneries-alcatel-565.magikmobile.com</a> <a href="http://www.sonneries-alcatel-715.magikmobile.com">http://www.sonneries-alcatel-715.magikmobile.com</a> <a href="http://www.sonneries-alcatel-735.magikmobile.com">http://www.sonneries-alcatel-735.magikmobile.com</a> <a href="http://www.sonneries-alcatel-756.magikmobile.com">http://www.sonneries-alcatel-756.magikmobile.com</a> <a href="http://www.sonneries-alcatel-835.magikmobile.com">http://www.sonneries-alcatel-835.magikmobile.com</a> <a href="http://www.les-soneries.magikmobile.com">http://www.les-soneries.magikmobile.com</a> <a href="http://www.loggo.magikmobile.com">http://www.loggo.magikmobile.com</a> <a href="http://www.loggos.magikmobile.com">http://www.loggos.magikmobile.com</a> <a href="http://www.les-sonnerie-sagem.magikmobile.com">http://www.les-sonnerie-sagem.magikmobile.com</a> <a href="http://www.les-sonnerie-samsung.magikmobile.com">http://www.les-sonnerie-samsung.magikmobile.com</a> <a href="http://www.sonneris.magikmobile.com">http://www.sonneris.magikmobile.com</a> <a href="http://www.mes-sonneries-nokia.magikmobile.com">http://www.mes-sonneries-nokia.magikmobile.com</a> <a href="http://www.les-sonnerie-philips.magikmobile.com">http://www.les-sonnerie-philips.magikmobile.com</a> <a href="http://www.les-sonnerie-lg.magikmobile.com">http://www.les-sonnerie-lg.magikmobile.com</a> <a href="http://www.les-sonnerie-sony-ericsson.magikmobile.com">http://www.les-sonnerie-sony-ericsson.magikmobile.com</a> <a href="http://www.les-sonnerie-sonyericsson.magikmobile.com">http://www.les-sonnerie-sonyericsson.magikmobile.com</a> <a href="http://www.les-sonnerie-motorola.magikmobile.com">http://www.les-sonnerie-motorola.magikmobile.com</a> <a href="http://www.les-sonnerie-nokia.magikmobile.com">http://www.les-sonnerie-nokia.magikmobile.com</a> <a href="http://www.les-sonnerie-mobile.magikmobile.com">http://www.les-sonnerie-mobile.magikmobile.com</a> <a href="http://www.logos-nokia-logo.magikmobile.com">http://www.logos-nokia-logo.magikmobile.com</a> <a href="http://www.logos-sagem-logo.magikmobile.com">http://www.logos-sagem-logo.magikmobile.com</a> <a href="http://www.logos-samsung-logo.magikmobile.com">http://www.logos-samsung-logo.magikmobile.com</a> <a href="http://www.logos-lg-logo.magikmobile.com">http://www.logos-lg-logo.magikmobile.com</a> <a href="http://www.logos-motorola-logo.magikmobile.com">http://www.logos-motorola-logo.magikmobile.com</a> <a href="http://www.logos-philips-logo.magikmobile.com">http://www.logos-philips-logo.magikmobile.com</a> <a href="http://www.logos-sonyericsson-logo.magikmobile.com">http://www.logos-sonyericsson-logo.magikmobile.com</a> <a href="http://www.logos-sony-ericsson-logo.magikmobile.com">http://www.logos-sony-ericsson-logo.magikmobile.com</a> <a href="http://www.sonneries-monophoniques.magikmobile.com">http://www.sonneries-monophoniques.magikmobile.com</a> <a href="http://www.sonnerie-monophonique.magikmobile.com">http://www.sonnerie-monophonique.magikmobile.com</a> <a href="http://www.les-sonneries-polyphonique.magikmobile.com">http://www.les-sonneries-polyphonique.magikmobile.com</a> <a href="http://www.sonneries-benq.magikmobile.com">http://www.sonneries-benq.magikmobile.com</a>">http://www.sonneries-benq.magikmobile.com">http://www.sonneries-benq.magikmobile.com</a> <a href="http://www.sonnerie-benq.magikmobile.com">http://www.sonnerie-benq.magikmobile.com</a>">http://www.sonnerie-benq.magikmobile.com">http://www.sonnerie-benq.magikmobile.com</a> <a href="http://www.sonneries-benq.magikmobile.com">http://www.sonneries-benq.magikmobile.com</a>">http://www.sonneries-benq.magikmobile.com">http://www.sonneries-benq.magikmobile.com</a> <a href="http://www.sonnerie-benq.magikmobile.com">http://www.sonnerie-benq.magikmobile.com</a>">http://www.sonnerie-benq.magikmobile.com">http://www.sonnerie-benq.magikmobile.com</a> <a href="http://www.sonneries-benq-m300.magikmobile.com">http://www.sonneries-benq-m300.magikmobile.com</a> <a href="http://www.sonneries-handspring.magikmobile.com">http://www.sonneries-handspring.magikmobile.com</a> <a href="http://www.sonneries-handspring-treo600.magikmobile.com">http://www.sonneries-handspring-treo600.magikmobile.com</a> <a href="http://www.sonneries-lg-5220c.magikmobile.com">http://www.sonneries-lg-5220c.magikmobile.com</a> <a href="http://www.sonneries-lg-5300.magikmobile.com">http://www.sonneries-lg-5300.magikmobile.com</a> <a href="http://www.sonneries-lg-5300i.magikmobile.com">http://www.sonneries-lg-5300i.magikmobile.com</a> <a href="http://www.sonneries-lg-5310.magikmobile.com">http://www.sonneries-lg-5310.magikmobile.com</a> <a href="http://www.sonneries-lg-5400.magikmobile.com">http://www.sonneries-lg-5400.magikmobile.com</a> <a href="http://www.sonneries-lg-7000.magikmobile.com">http://www.sonneries-lg-7000.magikmobile.com</a> <a href="http://www.sonneries-lg7020.magikmobile.com">http://www.sonneries-lg7020.magikmobile.com</a> <a href="http://www.sonneries-lg7030.magikmobile.com">http://www.sonneries-lg7030.magikmobile.com</a> <a href="http://www.sonneries-lg-7050.magikmobile.com">http://www.sonneries-lg-7050.magikmobile.com</a> <a href="http://www.sonneries-lg-7070.magikmobile.com">http://www.sonneries-lg-7070.magikmobile.com</a> <a href="http://www.sonneries-lg-7100.magikmobile.com">http://www.sonneries-lg-7100.magikmobile.com</a> <a href="http://www.sonneries-lg-7120.magikmobile.com">http://www.sonneries-lg-7120.magikmobile.com</a> <a href="http://www.sonneries-lg-c1100.magikmobile.com">http://www.sonneries-lg-c1100.magikmobile.com</a> <a href="http://www.sonneries-lg-c1200.magikmobile.com">http://www.sonneries-lg-c1200.magikmobile.com</a> <a href="http://www.sonneries-lg-c1400.magikmobile.com">http://www.sonneries-lg-c1400.magikmobile.com</a> <a href="http://www.sonneries-lg-c2200.magikmobile.com">http://www.sonneries-lg-c2200.magikmobile.com</a> <a href="http://www.sonneries-lg-3100.magikmobile.com">http://www.sonneries-lg-3100.magikmobile.com</a> <a href="http://www.sonneries-lg-f2100.magikmobile.com">http://www.sonneries-lg-f2100.magikmobile.com</a> <a href="http://www.sonneries-lg-f7250.magikmobile.com">http://www.sonneries-lg-f7250.magikmobile.com</a> <a href="http://www.sonneries-lg-g1600.magikmobile.com">http://www.sonneries-lg-g1600.magikmobile.com</a> <a href="http://www.sonneries-lg-g3100.magikmobile.com">http://www.sonneries-lg-g3100.magikmobile.com</a> <a href="http://www.sonneries-lg-g7200.magikmobile.com">http://www.sonneries-lg-g7200.magikmobile.com</a> <a href="http://www.sonneries-lg-l1100.magikmobile.com">http://www.sonneries-lg-l1100.magikmobile.com</a> <a href="http://www.sonneries-lg-l3100.magikmobile.com">http://www.sonneries-lg-l3100.magikmobile.com</a> <a href="http://www.sonneries-lg-l5100.magikmobile.com">http://www.sonneries-lg-l5100.magikmobile.com</a> <a href="http://www.sonneries-lg-t5100.magikmobile.com">http://www.sonneries-lg-t5100.magikmobile.com</a> <a href="http://www.sonneries-my-c2.magikmobile.com">http://www.sonneries-my-c2.magikmobile.com</a> <a href="http://www.sonneries-my-c2-2.magikmobile.com">http://www.sonneries-my-c2-2.magikmobile.com</a> <a href="http://www.sonneries-my-c3b.magikmobile.com">http://www.sonneries-my-c3b.magikmobile.com</a> <a href="http://www.sonneries-my-c3s.magikmobile.com">http://www.sonneries-my-c3s.magikmobile.com</a> <a href="http://www.sonneries-my-c4.magikmobile.com">http://www.sonneries-my-c4.magikmobile.com</a> <a href="http://www.sonneries-my-c5-2.magikmobile.com">http://www.sonneries-my-c5-2.magikmobile.com</a> <a href="http://www.sonneries-my-c5w.magikmobile.com">http://www.sonneries-my-c5w.magikmobile.com</a> <a href="http://www.sonneries-my-g5.magikmobile.com">http://www.sonneries-my-g5.magikmobile.com</a> <a href="http://www.sonneries-my-v55.magikmobile.com">http://www.sonneries-my-v55.magikmobile.com</a> <a href="http://www.sonneries-my-v65.magikmobile.com">http://www.sonneries-my-v65.magikmobile.com</a> <a href="http://www.sonneries-my-v75.magikmobile.com">http://www.sonneries-my-v75.magikmobile.com</a> <a href="http://www.sonneries-my-x1.magikmobile.com">http://www.sonneries-my-x1.magikmobile.com</a> <a href="http://www.sonneries-my-x2.magikmobile.com">http://www.sonneries-my-x2.magikmobile.com</a> <a href="http://www.sonneries-my-x3-2.magikmobile.com">http://www.sonneries-my-x3-2.magikmobile.com</a> <a href="http://www.sonneries-my-x4.magikmobile.com">http://www.sonneries-my-x4.magikmobile.com</a> <a href="http://www.sonneries-my-x4t.magikmobile.com">http://www.sonneries-my-x4t.magikmobile.com</a> <a href="http://www.sonneries-my-x5.magikmobile.com">http://www.sonneries-my-x5.magikmobile.com</a> <a href="http://www.sonneries-my-x5-2.magikmobile.com">http://www.sonneries-my-x5-2.magikmobile.com</a> <a href="http://www.sonneries-my-x5-2t.magikmobile.com">http://www.sonneries-my-x5-2t.magikmobile.com</a> <a href="http://www.sonneries-my-x5m.magikmobile.com">http://www.sonneries-my-x5m.magikmobile.com</a> <a href="http://www.sonneries-my-x6.magikmobile.com">http://www.sonneries-my-x6.magikmobile.com</a> <a href="http://www.sonneries-my-x7.magikmobile.com">http://www.sonneries-my-x7.magikmobile.com</a> <a href="http://www.sonneries-my-x8.magikmobile.com">http://www.sonneries-my-x8.magikmobile.com</a> <a href="http://www.nouvelles-sonneries.magikmobile.com">http://www.nouvelles-sonneries.magikmobile.com</a> <a href="http://www.sonnerie-nouvelle.magikmobile.com">http://www.sonnerie-nouvelle.magikmobile.com</a> <a href="http://www.nouveaux-logos.magikmobile.com">http://www.nouveaux-logos.magikmobile.com</a> <a href="http://www.nouveau-logo.magikmobile.com">http://www.nouveau-logo.magikmobile.com</a> <a href="http://www.sonneries-nouveaute.magikmobile.com">http://www.sonneries-nouveaute.magikmobile.com</a> <a href="http://www.sonnerie-nouveaute.magikmobile.com">http://www.sonnerie-nouveaute.magikmobile.com</a> <a href="http://www.mes-sonneries-mobile.magikmobile.com">http://www.mes-sonneries-mobile.magikmobile.com</a> <a href="http://www.les-logos-portables.magikmobile.com">http://www.les-logos-portables.magikmobile.com</a> <a href="http://www.les-logos-portable.magikmobile.com">http://www.les-logos-portable.magikmobile.com</a> <a href="http://www.les-logo-portable.magikmobile.com">http://www.les-logo-portable.magikmobile.com</a> <a href="http://www.mes-sonneries-sony.magikmobile.com">http://www.mes-sonneries-sony.magikmobile.com</a> <a href="http://www.les-sonnerie-sony.magikmobile.com">http://www.les-sonnerie-sony.magikmobile.com</a> <a href="http://www.mes-sonneries-ericsson.magikmobile.com">http://www.mes-sonneries-ericsson.magikmobile.com</a> <a href="http://www.les-sonnerie-ericsson.magikmobile.com">http://www.les-sonnerie-ericsson.magikmobile.com</a> <a href="http://www.les-sonneries-gratuites.magikmobile.com">http://www.les-sonneries-gratuites.magikmobile.com</a> <a href="http://www.mes-sonnerie-gratuite.magikmobile.com">http://www.mes-sonnerie-gratuite.magikmobile.com</a> <a href="http://www.les-sonneries-gratuite.magikmobile.com">http://www.les-sonneries-gratuite.magikmobile.com</a> <a href="http://www.logos-sexy-logo.magikmobile.com/sexy.aspx">http://www.logos-sexy-logo.magikmobile.com/sexy.aspx</a> <a href="http://www.la-sonerie.magikmobile.com">http://www.la-sonerie.magikmobile.com</a> <a href="http://www.la-sonneri.magikmobile.com">http://www.la-sonneri.magikmobile.com</a> <a href="http://www.la-sonnerie-sagem.magikmobile.com">http://www.la-sonnerie-sagem.magikmobile.com</a> <a href="http://www.la-sonnerie-samsung.magikmobile.com">http://www.la-sonnerie-samsung.magikmobile.com</a> <a href="http://www.la-sonnerie-alcatel.magikmobile.com">http://www.la-sonnerie-alcatel.magikmobile.com</a>

# Bobo said on January 3, 2005 07:05 PM:

http://www.mobipack.com

# MBA said on January 5, 2005 06:20 PM:

[http://kukuxz002.freewebpage.org/]
[http://kukuxz003.freewebpage.org/]
[http://kukuxz004.freewebpage.org/]
[http://kukuxz005.freewebpage.org/]
[http://kukuxz006.freewebpage.org/]
[http://kukuxz007.freewebpage.org/]
[http://kukuxz009.freewebpage.org/]
[http://aissl.51.net/]
[http://itpeixun.51.net/]
[http://kukuxz001.51.net/]
[http://kukuxz002.51.net/]
[http://kukuxz003.51.net/]
[http://kukuxz004.51.net/]
[http://kukuxz005.51.net/]
[http://kukuxz006.51.net/]
[http://kukuxz007.51.net/]
[http://kukuxz008.51.net/]
[http://kukuxz009.51.net/]
[http://mba8.51.net/]
[http://mba88.51.net/]
[http://mba666.51.net/]
[http://lhm002.51.net/]
[http://lhm003.51.net/]
[http://lhm004.51.net/]
[http://lhm005.51.net/]
[http://lhm006.51.net/]
[http://lhm007.51.net/]
[http://lhm0008.51.net/]
[http://lhm009.51.net/]

# Google Plcement said on January 5, 2005 06:22 PM:

[http://kukuxz002.freewebpage.org/][http://kukuxz003.freewebpage.org/][http://kukuxz004.freewebpage.org/][http://kukuxz005.freewebpage.org/][http://kukuxz006.freewebpage.org/][http://kukuxz007.freewebpage.org/][http://kukuxz009.freewebpage.org/][http://aissl.51.net/][http://itpeixun.51.net/][http://kukuxz001.51.net/][http://kukuxz002.51.net/][http://kukuxz003.51.net/][http://kukuxz004.51.net/][http://kukuxz005.51.net/][http://kukuxz006.51.net/][http://kukuxz007.51.net/][http://kukuxz008.51.net/][http://kukuxz009.51.net/][http://mba8.51.net/][http://mba88.51.net/][http://mba666.51.net/][http://lhm002.51.net/][http://lhm003.51.net/][http://lhm004.51.net/][http://lhm005.51.net/][http://lhm006.51.net/][http://lhm007.51.net/][http://lhm0008.51.net/][http://lhm009.51.net/]

# Frederick said on January 7, 2005 10:08 AM:

"Earth to programmer, earth to programmer.."
wake-up

who lets enter colornames in a textbox by the customer anyway.. at least use a listbox with pre-defined colors.

If you start programming as the article suggested, then almost no language/technology is safe to use.

Use common sense. I rate this article 0/10

# Ben said on January 7, 2005 04:16 PM:

Nice catch...thankfully, I'm a CSS clod so maybe I'm safe? :)

J/k...I'm assuming this CSS expression vulnerability is an issue in more than just colors. If so, are there any *generic* functions we can wrap our properties assignments in? ColorConverter / ColorTranslator are fine for colors, but what about background images, fonts, etc? Or maybe we just have to write our own safety wrapper for each type of input (one for RGBs, one for font info, etc.) ?

Anyhow, keep up the good work.

- Ben
www.developmentnow.com

# Google Plcement said on January 7, 2005 06:37 PM:

[http://kukuxz002.freewebpage.org/][http://kukuxz003.freewebpage.org/][http://kukuxz004.freewebpage.org/][http://kukuxz005.freewebpage.org/][http://kukuxz006.freewebpage.org/][http://kukuxz007.freewebpage.org/][http://kukuxz009.freewebpage.org/][http://aissl.51.net/][http://itpeixun.51.net/][http://kukuxz001.51.net/][http://kukuxz002.51.net/][http://kukuxz003.51.net/][http://kukuxz004.51.net/][http://kukuxz005.51.net/][http://kukuxz006.51.net/][http://kukuxz007.51.net/][http://kukuxz008.51.net/][http://kukuxz009.51.net/][http://mba8.51.net/][http://mba88.51.net/][http://mba666.51.net/][http://lhm002.51.net/][http://lhm003.51.net/][http://lhm004.51.net/][http://lhm005.51.net/][http://lhm006.51.net/][http://lhm007.51.net/][http://lhm0008.51.net/][http://lhm009.51.net/]

# 手机铃声下载 said on January 11, 2005 08:43 AM:

http://mms.nuc.cnhttp://mms.nuc.cnhttp://mms.nuc.cnhttp://mms.nuc.cnhttp://mms.nuc.cnhttp://mms.nuc.cnhttp://mms.nuc.cnhttp://mms.nuc.cnhttp://mms.nuc.cnhttp://mms.nuc.cnhttp://mms.nuc.cnhttp://mms.nuc.cnhttp://mms.nuc.cnhttp://mms.nuc.cnhttp://mms.nuc.cn

# xdlvod said on January 12, 2005 10:04 AM:

<p><a href="http://www.xdlvod.com">vod</a></p>
<p><a href="http://www.bigcattle.com">pos</a></p>
<p><a href="http://xdlvod.blogchina.com">vod</a></p>
<p><a href="http://xdlktv.blogchina.com">pos</a></p>
<p><a href="http://xdlvod.51.net">vod</a></p>
<p><a href="http://www.xdlvod.com/ktv_function.asp">pos</a></p>
<p><a href="http://www.bigcattle.com/ktv_function.asp">pos</a></p>

# ASP.NET Italiano Blogs said on December 23, 2007 10:55 AM:

Io e Andrea abbiamo appena ricevuto una mail da Dino e personalmente la stavo per prendere come una divertente

Leave a Comment

(required) 
(required) 
(optional)
(required)