I'm using a literal to display some javascript on a product page control. Basically what I'm doing is in my code behind I'm declaring a new stringbuilder, writing the script while inserting some dynamic variables to populate the script then setting the literal text to the stringbuilder. This leaves me open to xss attacks. What can I do to prevent this?
EDIT. Here is an example of the stringbuilder. when the page gets loaded the xss vulnerability occurs right after the javascript is generated.
System.Text.StringBuilder sb = new System.Text.StringBuilder();
//loop through items in the collection
for (int i = 0; i < _prod.ActiveProductItemCollection.Count; i++)
{
sb.Append("<script type='text/javascript'>");
//add +1 to each item
sb.AppendFormat("mboxCreate(\"product_productpage_rec{0}\",", i+1);
sb.Append("\"entity.id=" + _prodID + "\",");
sb.Append("\"entity.categoryId=" + _categoryID + "\",");
sb.Append("\"entity.name=" + _prod.ActiveProductItemCollection[i].Title + "\",");
sb.Append("\"entity.pageURL=" + Request.Url.ToString() + "\",");
//The following value has been taken from the productImageControl code behind.
//Might have to refactor in future as a property of the image control.
string filename = AppSettingsManager.Current.ProductImagePathLarge + _prod.ActiveProductItemCollection[i].Sku
+ AppSettingsManager.Current.ProductImageExtension;
sb.Append("\"entity.thumbnailURL=" + filename + "\",");
sb.Append("\"entity.inventory=" + _prod.ActiveProductItemCollection.Count + "\",");
sb.Append("\"entity.value=" + _prod.ActiveProductItemCollection[i].ActualPrice + "\",");
sb.Append("\"entity.ProductItemID=" + _prod.ActiveProductItemCollection[i].Sku + "\",");
sb.Append("\"entity.addToCartImg=~/Images/Buttons/btn_AddToCartFlat.gif\");<");
//The last line has to be /script. < inserted on prev line. do not change it or bad things will happen.
sb.Append("/script>");
}
this.LiteralMBoxScript.Text = sb.ToString();
You need to properly encode any user-generated data that you're putting into the Javascript.
In ASP.Net 4.0, you can call HttpUtility.JavaScriptStringEncode.
In earlier versions, you can use the Web Protection Library.
To prevent XSS you could HTML encode the value.
Alternately, you could write your javascript to read the user supplied data off of the page. This will result in less javascript code, and a faster page load.
If you are using JQuery for example, you can use the $.Parent() and $.Children() selectors to traverse the DOM to the appropriate form controls to reference information about that particular record in the loop.
Here is a relatively simple sample
function doSomething(context) {
var IDInput = $(context).parent('td').parent('tr').children('td.id').children('.hidden');
//Do something with the value
IDInput.val();
}
This would work with the following html example:
<table>
<tr>
<td><input type="button" onclick="doSomething(this)" value="Do Something"/></td>
<td class="id">Hidden ID Value <input type="hidden" value="1"/></td>
</tr>
<tr>
<td><input type="button" onclick="doSomething(this)" value="Do Something"/></td>
<td class="id">Hidden ID Value <input class="hidden" type="hidden" value="2"/></td>
</tr>
</table>
The advantage of doing it this way is that you no longer have to write javascript functions that take the ID as a parameter, meaning you don't need to dynamically generate the functions on the button, and can load them in the header in a separate JS file.
Well, if it is just your own script being written to the literal, you are no more open to attacks than if you simply included a js file on your site. If on the otherhand your script is interspersed with user supplied data of any kind, then you need to sanitize that data before you write it to the page.
If you are using .NET 4.0, you could output the value using the <%: theText %> syntax.
Related
I would like for C# to detect the variables in my mailbody and replace them with the values each of them already has in my method.
I'm saving my mails in a TEXT datatype in mysql
This is what i save into my Text:
<html>
<h1>
<span style='text-decoration: underline;'>
<strong>Solicitud</strong>
</span>
</h1>
<br/>" + "<body>Blabla" + user.Nombre + " " + user.Apellido + " p<br/>La razón a que: <br />"+ razon+ ".</body>
</html>
I want it to replace user.Nombre user.Apellido and razon which are variables already available in the method
For example if my method has:
user.Nombre = "MATT";
user.Apellido ="CASA";
razon = "why not?";
Then detecting the variables i would have:
<html>
<h1>
<span style='text-decoration: underline;'>
<strong>Solicitud</strong>
</span>
</h1>
<br/>" + "<body>Blabla" + "MATT"+ " " + "CASA" + " p<br/>La razón a que: <br />"+ "Why not?"+ ".</body>
</html>
The problem is making C# detect that the string already has variables inside of it.
If I understand your question correctly, which is pretty hard given then English you have used.
You want to replace a parts of a string you retrieved from a database?
You can perform string replacements like the below example.
string email = emailAsString.Replace("+ user.Nombre +", variable1);
You can read more on this here, if you so wish.
String Replace - https://www.dotnetperls.com/replace
Well searched far and wide in the web, there is a method to compile manually but its highly dangerous so I decided to use String.Format , and the templates of my mails swap the "+ variable +" to {#}
Interpolating a string stored in a database
After retrieving use:
var formatedString= String.Format(string , variables);
I'm getting a string from a list of items, The string is currently displayed as "item.ItemDescription" (the 9th row below)
I want to strip out all html from this string. And set a character limit of 250 after the html is stripped.
Is there a simple way of doing this?
I saw there was a posts saying to install HTML Agility Pack but I was looking for something simpler.
EDIT:
It does not always contain html, If the client wanted to add a Bold or italic tag to an items name in the description it would show up as <"strong">Item Name<"/strong"> for instance, I want to strip out all html no matter what is entered.
<tbody>
#foreach (var itemin Model.itemList)
{
<tr id="#("__filterItem_" + item.EntityId + "_" + item.EntityTypeId)">
<td>
#Html.ActionLink(item.ItemName, "Details", "Item", new { id = item.EntityId }, null)
</td>
<td>
item.ItemDescription
</td>
<td>
#if (Model.IsOwner)
{
<a class="btnDelete" title="Delete" itemid="#(item.EntityId)" entitytype="#item.EntityTypeId" filterid="#Model.Id">Delete</a>
}
</td>
</tr>
}
</tbody>
Your best option IMO is to night get into a parsing nightmare with all the possible values, why not simply inject a class=someCssClassName into the <td> as an attribute. Then control the length, color whatever with CSS.
An even better idea is to assign a class to the containing <tr class=trClass> and then have the CSS apply lengths to child <td> elements.
You could do something like this to remove all tags (opening, closing, and self-closing) from the string, but it may have the unintended consequence of removing things the user entered that weren't meant to be html tags:
text = Regex.Replace(text, "<\/?[^>]*\/?>", String.Empty);
Instead, I would recommend something like this and letting the user know html isn't supported:
text = text.Replace("<", "<");
text = text.Replace(">", ">");
Just remember to check for your 250 character limit before the conversion:
text = text.Substring(0, 250);
This Regex will select any html tags (including the ones with double quotes such as <"strong">:
<[^>]*>
Look here: http://regexr.com/3cge4
Using C# regular expressions to remove HTML tags
From there, you can simply check the string size and display appropriately.
var itemDescriptionStripped = Regex.Replace(item.ItemDescription, #"<[^>]*>", String.Empty);
if (itemDescriptionStripped.Length >= 250)
itemDescriptionStripped.Substring(0,249);
else
itemDescriptionStripped;
I am rendering page layout inside javascript but I would like to use there some CMS helpers. Rendering works well but helpers doesn't work (I obtained "NaN" instead of text I wanted). How can I add helpers to javascript variable?
var detailsTemplate =
'<table cellspacing="0" cellpadding="0">' +
'<tr>' +
'<th class="info">' +
<%# CMS.GlobalHelper.ResHelper.GetString("ReceiptsList.ProductName") %> +
'</th>' +
'</tr>' +
'<tbody>' +
'{0}' +
'</tbody>' +
'</table>'
Set single quotation marks around the ASP tags:
'<th class="info">' +
'<%# CMS.GlobalHelper.ResHelper.GetString("ReceiptsList.ProductName") %>' +
'</th>'
Look at the code generated and you will see, without the quotes you will have something like '<th>' + foo + '</th>' which will cause your current error. With the quotation marks you will have '<th>' + 'foo' + '</th>' which will run fine.
It works, I just add:
<span runat="server"> <js code..> </span>
and changed helper to (without single quotes):
<%= CMS.GlobalHelper.ResHelper.GetString("ReceiptsList.ProductName") %>
I am working on a hrms project in which I have to make the program for time sheet.
I need to take starting date and ending date from the user and depending on the difference of the two dates i have to generate textboxes fro entering time dynamically.that too in the specified place.
can anybody help me out.
I have done something very similar to that. Basically, I create a HTML table and create as many columns as needed and create a TextBox in each of those columns like this:
myColumn.InnerHtml = "<table>";
int length = THE NUMBER OF TEXTBOXES YOU WANT TO ADD BASED ON THE DATES;
int i = 1;
while (i <= length)
{
myColumn.InnerHtml += "<tr>";
myColumn.InnerHtml += "<td><input id='whatever" + i.ToString() + "' type='text' runat='server'></td>";
unavailableColumn.InnerHtml += "</tr>";
i++;
}
unavailableColumn.InnerHtml += "</table>";
myColumn is declared in the aspx like this:
<table>
<tr>
<td id="myColumn" runat="server" visible="false" style="width: 35%; vertical-align: top">
</td>
</tr>
</table>
This code should be added when you have entered the two dates, in order to create the textboxes dynamically. Hope this helps!
You need to either:
a) Take a postback with entered values, and generate new textboxes in CreateChildControls, depending on the values
or
b) Add them with JavaScript and take their values from Request manually.
I need help. I'm trying to make a .Net, c# application for online creating surveys. I have a few types of questions, and than I dynamicly put labels, combos, textboxes ... on the form. Up to this point, I somehow managed to get. Than, on click on add button, I write down the responses in html format using stringBuffer and append function. Example.
public string RetOptionalQuestion(string seq_numm, string question, string answersOpt)
{
StringBuilder _output = new StringBuilder();
_output.Append(# " <tble><t"r"><th>" + seq_numm + "." + question + "</th></tr>");
_output.Append(#"<tr><td><table>");
string[] words = answersOpt.Split(';');
int m = 0;
foreach (string word in words)
{
if (word != "")
{
_output.Append(#" <tr><td> <label> " + word + "</label> </td> <td>
<input id='optional" + question + Convert.ToString(m) +
"'type='radio' name='rbOpt" + question + "' </td> ");
m++;
}
}
_output.Append("</table></td></tr></table>");
return _output.ToString();
}
Now, I hawe to validate this questions(at least one radio checked...). They have the same name,this mean the same group, so only on e can be selected.
Than I have also to save the values(responses) of this questions to the database.
Problem is that I don't know how to operate with this html objects. Also how to set tehm the ID-s. I'm trying with javaScript , but with no success. Do you have any advice, hint, example, solution ... where to start...
I would be very pleased
Thanks, Martin
Any input controls posted to the form can be found in the Request.Form dictionary, the key is the 'Name' attribute of the input tag. (I think)
http://msdn.microsoft.com/en-us/library/ms525985(v=vs.90).aspx