|
|||||||||
|
|||||||||
|
|||||||||
 |
|||||||||
| |
||
|
|
|
|
|||||||||
|
|||||||||
|
|||||||||
|
|||||||||
| |
||
|
|
|
| ||||||||||||||||||||||||||||||||
 |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread | Rate Thread | Display Modes |
ASP Free Forums Sponsor:
|
|
|
|
#1
January 12th, 2008, 07:51 PM
|
|||
|
|||
|
Http://www.rhmun.com
This is a site I made for RHMUN, please give any comments or concerns you have towards the site.
http://www.rhmun.com
|
|
#2
January 12th, 2008, 09:02 PM
|
||||
|
||||
|
You need to implement better input validation on the "Register.asp" page. It's Cross-Site Scriptable.
|
|
#5
January 13th, 2008, 02:36 AM
|
||||
|
||||
|
Yes, you can reduce the chance of remote POSTs by checking the Referrer header and making sure the value is from your site, but that won't prevent it completely as the Referrer header can be manipulated...I was the one that did the mass register and it was remote and I modified the referrer header...
|
|
#6
January 13th, 2008, 12:01 PM
|
|||
|
|||
|
Evil... xD
Anyway, try again, I researched a lot on the safety of the site. Took me a lot of work, I think it's safer now, even if there's still leaks, the page now records every ip that visits it...
|
|
#7
January 15th, 2008, 10:18 PM
|
||||
|
||||
|
Nope, the page is still vulnerable to an XSS attack.
If I were doing the site I would whitelist the acceptable input into those fields.
|
|
#9
January 16th, 2008, 12:01 PM
|
||||
|
||||
|
It's not "ASP Whitelist" it's just whitelist.
It's basically an input validation technique that ensures only acceptable characters are allowed in the fields. For example, You would only allow characters a-z in the first name field. You would only allow characters a-z, ' (apostrophe), and - (hyphen) in the last name field. For a basic zip code you would only allow 5 digits in the zip code field. This is whitelisting. And the validation should be done on both the client and the server.
|
|
#14
March 18th, 2008, 11:15 AM
|
||||
|
||||
|
in your Contact Us page, the mail addresses are not clickable.
usually when user see an email address, he/she should be able to click this and send email. this is done by pure HTML: Code:
<a href="mailto:email@domain.com">email@domain.com</a> you can learn more by Googling the word "mailto". the rest of the site looks fine, nice and simple design.
|
|
#15
March 18th, 2008, 03:51 PM
|
|||
|
|||
|
Thank you shadow. The reason why I did not use mailto is because I personally find it unhandy. People around me don't use any software clients like Outlook, so it would be inconvinient if anyone accidentally clicked it when they just wanted to copy and paste. =)
|
|
| Viewing: ASP Free Forums > Web Design > Site Reviews > Http://www.rhmun.com |
| Thread Tools | Search this Thread |
| Display Modes | Rate This Thread |
|
|
|
|
|
|
 |
|
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
Linear Mode
