Please bare with my ignorance for now as I have just started learning web related programming. So, I have a web project written in MVC that has a login window with Username textbox bound to a property:
#Html.TextBoxFor(model => model.UserName, new {#placeholder = "Username"})
As I understand, Razor automatically html encodes input to help preventing cross-script attacks. However, when I test username with a javascript I get an exception from MVC:
A potentially dangerous Request.Form value was detected from the
client (UserName="...hp?name_1=code
Which makes me think that the input is NOT html encoded. My idea was to resolve this issue with html encoding/decoding but looks like I am not getting this whole idea right. Could someone explain?
NOTE: one of SO's related posts provides an unsecured solution but it is not an option for me to simply allow html.
It is not HTML encoded, that is correct. You will have to do the HTML encoding in the Action that form posts back to.
Also, you will need to add [ValidateInput(false)] attribute just about your action.
Related
I have problem with read html code from database and displaying them.
It looks like this in my page:
And what I wanted it to look is:
I'm using TinyMCE to stored it into database with the code below:
teamContent.PageContent = WebUtility.HtmlEncode(edited_content); // edited_content is the html code I posted to controller to store.
_context.Update(teamContent);
_context.SaveChanges();
And then I decode the html code I stored using:
ViewBag.content = WebUtility.HtmlDecode(content);
ViewBag.content is passed from controller to view for displaying.
So what's the correct way to do this? Thanks
ViewBag.content is only capable of storing strings, so although you've decoded the content to be html it will be treated as a string when processed in the .cshtml.
The way to proceed is to tell .cshtml how to handle the ViewBag.content, and in this case we want it to be treated as raw html.
If you're using Razer you will use Html.Raw:
#Html.Raw(ViewBag.content)
Otherwise if not using Razer
<%= System.Web.HttpUtility.HtmlDecode(ViewBag.content) %>
Remember that if the content of what goes in to ViewBag.content is editable by the user that you're in dangerous territory and this is a security risk as the user can write malicious code to be executed on your site.
I need to fix XSS issues in my application. Now I am new to JSON and XSS. I think of two ways attacks can happen - first is through html input controls (text boxe/area etc) or through request parameters which are visible in the url (GET). Please suggest if i am missing something here?
I am thinking to use AntiSamy (https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project). I am thinking of creating a custom tag which would contain the value of html controls e.g.
<input type="text" NAME="name" value="<mytag:xssclean><c:out value= escapeXml="false"/></mytag:xssclean>
this tag class would actually use antisamy to scan the html content. will this take care of encoding any malicious javascript content entered into text box/area before sending those parameters to controller classes and then eventually to database? Or would it only encode the content which is coming from controller classes to get rendered on jsp?
Is this the right approach? When would i need to validate on the java side (controller classes by direct validation using antisamy) versus on jsp (with new tag)?
Additionally I have many jsp's which do not have direct form fields with html controls but their struture is created dynamically and jason string is given to the jsp. jsp would simply have : where 'value' would contain the final jason to be rendered on html (including html fields). Do we need to apply XSS solution using antisamy on jason strings or jason data is already safe from XSS attacks and the thing like are already present as text in jason? where should i resolve this issue for json cases?
I have a site where users upload content and they can name what they upload. Some users have included "&" in their name and I get an html validation error. Is there any way to allow the "&" to stay and yet also validate the page? This would be very helpful. If not, what other measures can I take to allow my page to validate? Thanks!
No, there is no way to make the page validate with invalid content.
And, YOU SHOULD NOT DISPLAY THE CONTENT WITHOUT ENCODING IT PROPERLY!
Sorry for shouting, but your site is wide open for cross site scripting attacks. Anyone can put harmful content in a name, and it will be run in other peoples browsers.
How you do this depends on what platform you are using. For example in ASP.NET webforms you would use the Server.HtmlEncode method to HTML encode the string. In ASP.NET MVC you would use the same, or simply the <%: %> server tag that does that automatically.
In php you will want to use the htmlentities method:
<?= htmlentities($username, ENT_QUOTES) ?>
Which will output me&myself (the correct way to display the value on the html page) if the user had entered me&myself
ALWAYS ALWAYS ALWAYS sanitize user inputs. Never trust any data that a client's browser has sent you. If someone entered something in a form field, NEVER stick it directly in a database query (sanitize it with something like my_real_escape_string($user_input)). Never print text to the browser directly if it was originally submitted by a client, always escape it (with htmlentities).
The reason you do this is because malicious users could execute cross-site scripting attacks on your site by submitting data that fires some javascript, and phishes or steals data from your other customers. If I set my name to <script type='javascript' src='http://mysite.com/bad-js.js' /> then anyone that loaded that page would have that unknown and potentially malicious javascript execute on their browser with access to their cookies and their session.
How does HTML form function? and what I mean by that question is not what a form does (It sends the information of all the input elements to the server), but I mean "How does the form know what to do"? Isn't HTML just a mark-up language, which means that it's not for programming? Is there some code hidden somewhere?
I hope it was clear ;)
HTML is processed by the browser, and the browser has programming which "makes the form work". All the form really does though (for most standard uses), is collect the user input and provide it as a POST request to the HTTP server.
Its just part of the web browser to serialize the contents of the input fields and send that up to the server.
I've noticed that browsers don't recognize my password field as a potential auto-complete target. I'm assuming this has something to do with the fact that the password field isn't in the original HTML - it's created by my GWT script after the page has loaded.
Is there a way to tell a browser, "hey, here's this form, treat it like usual?" How can I let browsers hook into my app for autofill?
There are some workarounds to get the browser to auto-complete your login like the one described here.
After struggling some time with it I strongly suggest you simply wrap an existing form of your host page (do not generate the inputs with GWT), do a form.submit() on it and have a servlet listen to the request.
I believe that password fields ( tags with type="password") are not auto-filled for fairly obvious security reasons. It doesn't matter that the field is added after page load by your GWT script.
Try mimicking the field in regular HTML and compare that to how your GWT app creates the DOM structure. Perhaps your GWT app is putting the page together differently?