You must Sign In to post a response.
  • Category: .NET

    Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

    Hi Team,

    After R&D i didn't get solution for this.Please see below for Veracode flaw andd help me for fixing this flaw.

    this.Response.Write("<font color='red'>Error on sql-query: \n" + e.Message + "</font><hr>");
    this.Response.Write(" sql :" + commands[i] + "<hr>");
  • #759941
    please try Server.HrmlEncode in your code and see if it works.
    Miss. Jain
    Microsoft Certified Technology Specialist in .Net

  • #759954
    Hello Shashi,

    Update the below lines of code with your original code :
    this.Response.Write("<font style=\"color: Red;\">Error on sql-query: \n" + e.Message + "</font><hr>");
    this.Response.Write(" sql :" + commands[i] + "<hr>");

    Hope this is what you expect.

    Regards,
    Nirav Lalan
    DNS Gold Member
    "Failure is the path of least persistence"

  • #759958
    catch (SqlException e)
    <%= Server.HTMLEncode("<font color='red'>Error on sql-query: \n" + e.Message + "</font><hr>") %> ;

    <%= Server.HTMLEncode("sql :" + commands[i] + "<hr>") %>;

    So can you please tell me is this correct or not??

  • #759959
    Hello Shashi,

    The code you have written is totally incorrect.
    It will cause an error.

    You should use the code i had given to you. It is working.

    Regards,
    Nirav Lalan
    DNS Gold Member
    "Failure is the path of least persistence"

  • #759961
    Am getting same flaw for below lines of code...Please guide me on this.

    Response.Write("<td>" + reader["NachBestanSpar"].ToString() + "</td>");
    Response.Write("<td>" + reader["NachBestanRisik"].ToString() + "</td>");
    Response.Write("<td>" + reader["NachSpar"].ToString() + "</td>");
    Response.Write("<td>" + reader["NachRisik"].ToString() + "</td>");
    Response.Write("<td>" + reader["NachYear"].ToString() + "</td>");

  • #759975
    Hello Shashi,

    Find the below code :

    this.Response.Write("<font style=\"color: Red;\"><td>" + reader["NachBestanSpar"].ToString() + "</td></font>");
    this.Response.Write("<font style=\"color: Red;\"><td>" + reader["NachBestanRisik"].ToString() + "</td></font>");
    this.Response.Write("<font style=\"color: Red;\"><td>" + reader["NachSpar"].ToString() + "</td></font>");
    this.Response.Write("<font style=\"color: Red;\"><td>" + reader["NachRisik"].ToString() + "</td></font>");
    this.Response.Write("<font style=\"color: Red;\"><td>" + reader["NachYear"].ToString() + "</td></font>");


    Hope this will help you.

    Regards,
    Nirav Lalan
    DNS Gold Member
    "Failure is the path of least persistence"

  • #760032
    Hi
    try this code i mention below code working for me.

    DataTable dt = new DataTable();
    DataRow dr;
    dt.Columns.Add("EmpId");
    dt.Columns.Add("EmpName");
    dr = dt.NewRow();
    dr[0] = 1;
    dr[1] = "DNS";
    dt.Rows.Add(dr);

    Response.Write("<table border='2'><tr>");
    Response.Write("<td>" + Convert.ToInt32(dt.DefaultView[0][0]) + "</td>");
    Response.Write("<td>" + dt.DefaultView[0][1].ToString() + "</td></tr></table>");
    Response.Write("<font color='red'>Error on sql-query: \n" + Convert.ToInt32(dt.DefaultView[0][0]) + "</font><hr>");
    Response.Write(" sql :" + dt.DefaultView[0][1].ToString() + "<hr>");

    Name : Dotnet Developer-2015
    Email Id : kumaraspcode2009@gmail.com

    'Not by might nor by power, but by my Spirit,' says the LORD Almighty.

    Delete Attachment

  • #760035
    conn.Open();

    cmd.CommandText = "select * from report where ReportID=" + randomID +
    " and ( isnull(BestanSpar, 0) != isnull(NachBestanSpar,0) or isnull(BestanRisik, 0) != isnull(NachBestanRisik, 0)) ";

    SqlDataReader reader = cmd.ExecuteReader();

    if (reader.Read())
    {
    do
    {
    Response.Write("<tr>");
    Response.Write("<td>" + reader["VG_UG"].ToString() + "</td>");
    Response.Write("<td>" + reader["Makler_Nr"].ToString() + "</td>");
    Response.Write("<td>" + reader["RatingSpar"].ToString() + "</td>");
    Response.Write("<td>" + reader["RatingRisik"].ToString() + "</td>");
    Response.Write("<td>" + reader["BestanSpar"].ToString() + "</td>");
    Response.Write("<td>" + reader["BestanRisik"].ToString() + "</td>");
    Response.Write("<td>" + reader["NachBestanSpar"].ToString() + "</td>");
    Response.Write("<td>" + reader["NachBestanRisik"].ToString() + "</td>");
    Response.Write("<td>" + reader["NachSpar"].ToString() + "</td>");
    Response.Write("<td>" + reader["NachRisik"].ToString() + "</td>");
    Response.Write("<td>" + reader["NachYear"].ToString() + "</td>");

    Response.Write("</tr>");


  • Sign In to post your comments