All geek questions in one place

Javascript and XSS Prevention

I am xss checking my website for javascript and xss attacks. This is written in ASP.NET Webforms.

The main part that I would like to test is the user control, which has a text field (tinyMCE attached to it).

Users can send stories to the site, I write in this text box. I had to set validateRequest to false since I want to get user histories in HMTL (tinyMCE).

How to prevent javascript-xss attacks? Since user stories are HMTL texts, I cannot use Server.HtmlEncode in my stories. In general, what is a safe way to get HTML content from a user, save, and then display it to users?

If one user puts malicious code in a text field and sends it, is it likely that it could harm other people who view this text?

Thanks.

+6
source share
3 answers

If you do not clear what the user places in the text field and submits, then yes, there is a chance of harm.

You might want to check out the Microsoft Anti-Cross Site Scripting Library , as it is designed to help developers prevent such attacks.

It's also worth taking a look at OWASP Cross-Site Scripting (XSS)

You might want to look at HttpUtility.HtmlEncode and HttpUtility.HtmlDecode. I just wrote a quick test, and it looks like this might affect your concern in the comment below (on how to display data for other users in the correct format):

 string htmlString = "<b>This is a test string</b><script>alert(\"alert!\")</script> and some other text with markup <ol><li>1234235</li></ol>"; string encodedString = HttpUtility.HtmlEncode(htmlString); // result = &lt;b&gt;This is a test string&lt;/b&gt;&lt;script&gt;alert(&quot;alert!&quot;)&lt;/script&gt; and some other text with markup &lt;ol&gt;&lt;li&gt;1234235&lt;/li&gt;&lt;/ol&gt; string decodedString = HttpUtility.HtmlDecode(encodedString); // result = <b>This is a test string</b><script>alert("alert!")</script> and some other text with markup <ol><li>1234235</li></ol>

ASP.NET and HTMLEncode Controls I was going to publish the information I received from my class, but found a link that lists the same (for versions 1.1 and 2.0), so I will send the link for a more convenient link. You can probably get more information about a specific control that is not listed (or version 3.0 / 3.5 / 4.0 if they were changed) by looking at MSDN, but this should serve as a minimum for you to get you started. Let me know if you need more information and I will see what I can find.

ASP.NET default HTML controls

Here is a more complete list from one of the MSDN blogs: Which automatic ASP.NET codes are automatically encoded?

+4
source

I would go by storing it in the database and then showing Decode and replace only < with &lt; if you say that you need to save other things.

As far as I know, if you replace < XSS, this is not realistic, since any JS code must be inside the <script> tags that need to be executed, and, replacing it, you will get this in the HTML source: &lt;script> , and the user will see <script> on the screen as the browser parses the &lt; .

This means that if you allow users to publish raw HTML, for example. <b>this section is bolded</b> , then you have to create a whitelist of allowed tags and then manually replace &lt; to the proper HTML:

 string[] allowedTags = new string[] { "a", "b", "img" }; foreach (allowedTag in allowedTags) output = output.Replace("&lt;" + allowedTag, "<" + allowedTag);
+3
source

You saw the OWASP guide in this

A better way would be to have a whitelist of allowed tags instead of trying to reveal all the script tags.

One solution on how to do this is here. How do I filter all HTML tags except a specific whitelist? But you also need to know that people can have an external script link through an image tag with a URL to their own server. Here are examples of http://ha.ckers.org/xss.html different types of attacks that need to be protected from

+1
source

Source: https://habr.com/ru/post/892428/

More articles:


All Articles