XSS in angularjs app and web api 2 -


i have web application. using angularjs , web api2.

i have simple form user can insert free text send via email other people. text saved on db , later can shown in web site page. knew didn't need check input of user, because in web api, text automatically encoded. expected if user, example, type

<script type="..">...</script>

i receive server side, in web api controller, this:

&lt;script type=&quot;..&quot;&gt;...&lt;/script&gt;

i receive instead 

<script type="..">...</script>

nothing changed.

how can encode input sure application not receive xss attack? should leave input unchanged change value when put in email? , when save in database? should saved in form 

<script type="..">...</script>

and encoded when show in page?

in moment added in web.config 

<httpruntime ... encodertype="system.web.security.antixss.antixssencoder,system.web, version=4.0.0.0, culture=neutral, publickeytoken=b03f5f7f11d50a3a" />

but nothing seems changed.

thank you

you have multiple possibilities, can encode string data received (https://github.com/mathiasbynens/he) before saving them db, in manner don't need nothing displaying them, because displayed string &lt;script type=&quot;..&quot;&gt;...&lt;/script&gt; example.

but if still want accept html tags <p>, <strong>, etc... should save input without encoding , using sanitizer display them: https://docs.angularjs.org/api/ng/directive/ngbindhtml


Comments

Post a Comment

Popular posts from this blog

javascript - Google App Script ContentService downloadAsFile not working -

i have web app developed using google app script htmlservice , html form, populating excel sheet in google drive using spreadsheetapp . , 1 section calling contentservice download data excel file. function doget(e) { // read excel sheet //getappfile(); // render application html template return htmlservice.createtemplatefromfile('index').evaluate() .settitle('go smart') .setsandboxmode(htmlservice.sandboxmode.iframe); } function downloaddoublequatecsvfile() { var sheetid = propertiesservice.getscriptproperties().getproperty('sheetid'); var ss = spreadsheetapp.openbyid(sheetid).getactivesheet(); //var ss = spreadsheetapp.getactivespreadsheet().getactivesheet(); var maxcolumn = ss.getlastcolumn(); var maxrow = ss.getlastrow(); var data = ss.getrange(1, 1, maxrow, maxcolumn).getvalues(); if (data.length > 1) { var csv = ""; (var row = 0; row < data.length; row++) { (var c...
Read more

javascript - Function overwritting -

is there way overwrite function or event handling in function? using addeventlistener, can have many event handlers on element want var test=document.getelementbyid("div"); test.addeventlistener("click",function(){alert("im first");},false); test.addeventlistener("click",function(){alert("im second");},false); // alerts "im first" , after "im second" but if want overwrite function/event example based on client width example this function one() { alert("first"); } function two() { alert("second"); } window.onresize = function() { var test = document.getelementbyid("div"); if (window.innerwidth > 500) { test.onclick = 1 } else { test.onclick = two; } } is possible in javascript? in case use effective little known approach. addeventlistener can accept object property handleevent event handler. in case it's easy overwr...
Read more

php - Find a regex to take part of Email -

i have following emails need extract part from: bestellnummer xxx: 1 von xxx, 1er pack ------------- anfang der nachricht ------------- foo bar baz foo bar baz // <<<<< need text here ------------- ende der nachricht ------------- ------------- anfang der nachricht ------------- foo bar baz foo bar baz ------------- ende der nachricht ------------- there 0 unlimited occurences of ------------- anfang der nachricht ------------- ------------- ende der nachricht ------------- and i'm able extract first part regex: $re = "/------------- .*? -------------.?(.*?).?------------- .*? -------------/s"; but, i'm quite new on learning regex, i'm pretty sure there must better regex extract part (foo bar baz foo bar baz) of text between ------------- anfang der nachricht ------------- ------------- ende der nachricht ------------- as can in different languages, i'm using .? to match between hyphens. i...
Read more