I'm having a problem with sanitizing the following code for cross site scripting vulnerability. When I enter the value:
""><script>alert(123)</script>
into the field in the form and click the Send button, the aforementioned script is added to my source code on the page. I tried using Server.HTMLEncode on the request to encode the invalid characters (such as the "<>/ etc.) but couldn't get it to work.
Suggestions?
<%
Function GetErrorMessage(strMessage)
GetErrorMessage = "<br/><div style='color:red; font-size:11px;'>" & strMessage &"</div>"
End Function
dim errProdname
dim formWithError
dim errorMessage
2、In the head of your aspx page——
<%@ page validaterequest="false" language="c#" codebehind="index.aspx.cs" autoeventwireup="false" inherits="mybbs.webform1" %>
Unfortunately, in this scenario, all changes will have to take place within the aspx page, and entering the header you suggested produces an HTTP 500 - Internal server error.
Setting validateRequest to false will simply tell ASP .NET not to check the value when the post is received. It sounds like you want to sanitize this script before the post is even sent. Is that true? What is your code for Validacion(this)? Is that where
you are trying to clean this up so that it can be verified? Can you be more specific about exactly what you need to accomplish? I can say this:
By default, ASP .NET shouldn't allow that to be posted - you should get some kind of "potentially dangerous" error. So, what exactly do you want to have happen if someone enters that script line in a text box and hits submit?
Michael Graham, MSFT
Marked as answer by cts-mgraham on May 02, 2011 07:46 PM
cjbeartx
Member
2 Points
2 Posts
XSS problem
Apr 07, 2011 07:32 PM|LINK
I'm having a problem with sanitizing the following code for cross site scripting vulnerability. When I enter the value:
""><script>alert(123)</script>
into the field in the form and click the Send button, the aforementioned script is added to my source code on the page. I tried using Server.HTMLEncode on the request to encode the invalid characters (such as the "<>/ etc.) but couldn't get it to work.
Suggestions?
<%
Function GetErrorMessage(strMessage)
GetErrorMessage = "<br/><div style='color:red; font-size:11px;'>" & strMessage &"</div>"
End Function
dim errProdname
dim formWithError
dim errorMessage
formWithError = false
errProdname = ""
%>
<link rel="stylesheet" type="text/css" href="estilo.css">
<table width="590" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td bgcolor="#D0D1D3">
<table width="100%" border="0" cellspacing="7" cellpadding="3">
<form method="post" action="prodquestion.asp?accion=enviar" onsubmit="return Validacion(this)" id="consultationform" name="consultationform">
<tr>
<td width="30%" align="right" class="textoform">
Product Name
</td>
<td >
<input name="prodname" type="text" class="combotext" size="35" maxlength="50" value="<%=request("prodname")%>">
<%=errProdname%>
</td>
</tr>
<tr>
<td colspan="2" align="center">
<button type="reset" id=button1 name=button1 style="border:0;background-color:#D0D1D3;cursor:hand;cursor:pointer;"><img title="Clear" src="/v/vspfiles/images/new/btn-clear.jpg" alt="Clear" border="0"></button>
<button type="submit" id=button1 name=button1 style="border:0;background-color:#D0D1D3;cursor:hand;cursor:pointer;"><img title=" Send " src="/v/vspfiles/images/new/btn-send.jpg" alt=" Send " border="0"></button>
</td>
</tr>
</form>
</table>
</td>
</tr>
</table>
Decker Dong ...
All-Star
118619 Points
18779 Posts
Re: XSS problem
Apr 10, 2011 01:29 AM|LINK
Generally speaking, as far as I know, I think Asp.net, for its security, doesn't allow to execute a js script.
However if you really want to do so, please try either of the two ways:
1) 、In web.config, you can see <system.web> tags, please add this inside——<pages validaterequest="false"/>
Sample:
<?xml version="1.0" encoding="gb2312" ?>
<configuration>
<system.web>
<pages validaterequest="false"/>
</system.web>
</configuration>
2、In the head of your aspx page——
<%@ page validaterequest="false" language="c#" codebehind="index.aspx.cs" autoeventwireup="false" inherits="mybbs.webform1" %>
cjbeartx
Member
2 Points
2 Posts
Re: XSS problem
Apr 11, 2011 07:01 PM|LINK
Unfortunately, in this scenario, all changes will have to take place within the aspx page, and entering the header you suggested produces an HTTP 500 - Internal server error.
Thoughts?
cts-mgraham
Contributor
3318 Points
642 Posts
Microsoft
Re: XSS problem
Apr 19, 2011 02:32 PM|LINK
Setting validateRequest to false will simply tell ASP .NET not to check the value when the post is received. It sounds like you want to sanitize this script before the post is even sent. Is that true? What is your code for Validacion(this)? Is that where you are trying to clean this up so that it can be verified? Can you be more specific about exactly what you need to accomplish? I can say this:
By default, ASP .NET shouldn't allow that to be posted - you should get some kind of "potentially dangerous" error. So, what exactly do you want to have happen if someone enters that script line in a text box and hits submit?