asp.net - Preventing XSS attacks to dynamically created DOM webpages and dynamically generated javascript event handlers -


i have read following article:

https://msdn.microsoft.com/en-us/library/bb355989.aspx

now article allows me understand xss vulnerability defense webpage statically made of asp , html controls built on webpage in true markup layout fashion. understand that control input should use not server side in validation input should validate length, range, format , type. question have trying sanitize website page layout controls build on dom object dynamically when page loads. example on page load event methods add controls document object 1 @ time in method builds entire webpage during calling method. also, control event handling done methods send concatenated javascript strings, during page load, output page handle page control events. guess question is, how use asp.net validation controls, regex checking, etc. functionally when built, dom , javascript event handling on loading of webpage?

i'm afraid ms article has misled you. represents misguided, discredited approach handling injection issues. (asp.net request validation in particular unreliable waste of time.)

input validation valuable ensuring incoming data conform expected business rules , doesn't contain confusing characters control characters, not reliable means of preventing html or js injection issues leading cross-site-scripting.

the way prevent injection issues is, whenever inserting text wider context, encode text fit context. so, when you're templating string html, html-escape it; when you're putting parameter url, url-escape it; when you're writing string <script> block, js-escape it, , on.

in asp.net templates means using <%: ... %> construct put content in page instead of <%= ... %>, html-escapes automatically. (in razor, @{...} construct automatically escapes.)

at client side have @ code being used create new dom elements. in general classic bad pattern out creating markup strings inserted it, like:

element.innerhtml = '<div>hello, '+name+'</div>';

the quick fix here write function html-escaping on client side, eg:

function escapehtml(s) {     return s.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/"/g, '&quot;').replace(/'/g, '&#039;'); }  element.innerhtml = '<div>hello, '+escapehtml(name)+'</div>';

it's better avoid kind of dom-xss problem writing data directly dom properties, don't need escaping:

var div = document.createelement('div'); div.textcontent = 'hello, '+name; element.appendchild(div);

(similarly if using jquery, prefer setting text() , attr() html().)


Comments

Post a Comment

Popular posts from this blog

c# - Validate object ID from GET to POST -

i have method allows user access comment have made on site. have post method lets them update comment. my normal solution send entire comment model through, let them update it, update on database when post back. involve sending commentid through in hiddenfor , can manipulated. how can verify commentid sent in get method same i'm getting in post , not able alter comment wish? how can verify commentid sent in method same i'm getting in post? basically have validate following things in post - user logged-in user. authenticated users post comments. commentid in post , should valid commentid , should present in database. userid associated logged-in user should same userid associated comment . comment should contain userid column, can check @ time of update. to make sure update happens comment has been sent in get - hold commentid in session , in post action compare commentid value in session .
Read more

node.js - Custom Model Validator SailsJS -

when using custom model validator checks record within model. return within spread doesn't seem end control flow. //post.js model /** * custom validator **/ types: { isuservalid: function(user_id) { var promise = require('bluebird'); promise.all([ user.findone({id: user_id}) ]) .spread(function(user) { console.log(user); if (user === null || user === undefined) { console.log('failed'); return false; }else{ console.log('passed'); return true; } }); } }, my response standard validation failed response. { "error": "e_validation", "status": 400, "summary": "1 attribute invalid", "model": "post", "invalidattributes": { "owner": [ { "rule": "isuservalid", ...
Read more

php - Find a regex to take part of Email -

i have following emails need extract part from: bestellnummer xxx: 1 von xxx, 1er pack ------------- anfang der nachricht ------------- foo bar baz foo bar baz // <<<<< need text here ------------- ende der nachricht ------------- ------------- anfang der nachricht ------------- foo bar baz foo bar baz ------------- ende der nachricht ------------- there 0 unlimited occurences of ------------- anfang der nachricht ------------- ------------- ende der nachricht ------------- and i'm able extract first part regex: $re = "/------------- .*? -------------.?(.*?).?------------- .*? -------------/s"; but, i'm quite new on learning regex, i'm pretty sure there must better regex extract part (foo bar baz foo bar baz) of text between ------------- anfang der nachricht ------------- ------------- ende der nachricht ------------- as can in different languages, i'm using .? to match between hyphens. i...
Read more