All geek questions in one place

How to eliminate improper neutralization of Script-implemented HTML tags on a web page (Basic XSS) with an error message?

We use the web management adapter on our login page. We recently launch VeraCode in our web application. In the next function, we got CWE80, improperly neutralizing Script -Related HTML tags on a web page (Basic XSS), in line

rev.ErrorMessage = msg;

The following is a function of the WebControlAdapterExtender class.

static public void WriteRegularExpressionValidator(HtmlTextWriter writer, RegularExpressionValidator rev, string className, string controlToValidate, string msg, string expression)
        {
            if (rev != null)
            {
                rev.CssClass = className;
                rev.ControlToValidate = controlToValidate;
                rev.ErrorMessage = msg;
                rev.ValidationExpression = expression;
                rev.RenderControl(writer);
            }
        }

Does anyone have a suggestion on how to fix this?

+4
source share
4 answers

, "msg" , , - " ", , . , : http://www.veracode.com/images/pdf/top5mostprevalent.pdf

, , ErrorMessage . , "msg" , .

-: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

HtmlEncode HttpUtility.HtmlEncode(unencoded);

rev.ErrorMessage = System.web.HttpUtility.HtmlEncode(msg);
+4

Apache Commons Lang3 StringEscapeUtils. . escapeXml (), escapeHtml () ..

rev.ErrorMessage = StringEscapeUtils.escapeHtml(msg);
0

HTTP. HTTP- HTTP-, , .

strMessage = CLASSCONSTANTNAME + + MESSAGENAME + ; LOGGER.info(strMessage);

strMessage = CLASSCONSTANTNAME + + MESSAGENAME + ; LOGGER.info(ESAPI.encoder() encodeForHTML (strMessage).);

moredetail

0

You can use the ESAPI library to fix this.

rev.ErrorMessage = ESAPI.encoder().encodeForHTML(msg);
0
source

Source: https://habr.com/ru/post/1527935/

More articles:


All Articles