Just a quick question I was asked to go through a vb app and fix all the places where cross site scripting could happen. I changed the <%= to <%: and everywhere they were putting together html in the code and injected a string I changed to server.htmlencode or server.urlencode accordingly. My question is sometimes they are using htmlwriter. I'm assuming if they use htmlwriter I don't need to worry about cross site scripting as the writer will automtically encode any strings. Is that correct?
Yes, it does protect you from XSS when writing into a HTML document, however the HtmlTextWriter.WriteEncodedText method must be used.
' Assign a value to a string variable,
' encode it, and write it to a page.
colHeads = "<custID> & <invoice#>"
writer.WriteEncodedText(colHeads)
writer.WriteBreak()
will output
<custID> & <invoice#>
to the stream.
Note that using <%: and WriteEncodedText are only suitable for outputting to a HTML context. They should not be used when outputting into JavaScript:
<script>
var myVariable = '<%: thisIsWrong %>';
</script>
In this context HttpUtility.JavaScriptStringEncode should be used (with <%= %> brackets to prevent incorrectly HTML encoding too). This function also correctly encodes special characters, so if </script> was to be rendered in a script tag in an attempt to close the HTML script tag ready for an XSS attack, it would be rendered as:
\u003c/script\u003e
which is the correct encoding for JavaScript to understand it as </script>, but without the browser interpreting it as a literal closing script tag. Some naively written JavaScript encoding routines would not convert this because the sequence does not contain \, " or ' characters. I just thought I'd mention some of the nuances of preventing XSS for other people finding this post.
If you don't make sure that closing script tags are not rendered, then an attack like so is possible
</script><script>alert(1)</script>
which the renders in the browser as
<script type="text/javascript">
alert('</script><script>alert(1)</script>');
</script>
and the browser will interpret the script tag ending at alert('</script> and simply execute what is in the new script tag.
With the JavaScriptStringEncode function this is safe as it is rendered as:
<script type="text/javascript">
alert('\u003c/script\u003e\u003cscript\u003ealert(1)\u003c/script\u003e');
</script>
which does not contain </script> for the browser to interpret.
just tried it sadly it does not protect you from cross site scripting I made an aspx page and in the code behind I put
protected void Page_Load(object sender, EventArgs e)
{
StringWriter stringWriter = new StringWriter();
using (HtmlTextWriter writer = new HtmlTextWriter(stringWriter)) {
writer.RenderBeginTag(HtmlTextWriterTag.Label);
writer.Write(
" < script > alert('.Net and the Terrible, Horrible, No Good, Very Bad Script');</ script > ");
writer.RenderEndTag();
}
Response.Write(stringWriter);
}
I ran the page and the javascript alert popped up so I guess htmltextwriter doesn't protect you from cross site scipting
来源:https://stackoverflow.com/questions/28704071/htmltextwriter-and-cross-site-scripting