I searched that page for "encode", "entity", "enti", "santi", "sanitize. No hits at all.
So if the generated pages doesn't sanitize data, why are they used? I normally sanitize the request, but again if I have to sanitize each field, why the auto context instead of individual request?
For example:
string petname = Request.Form["petname"];
// I could add a custom sanitize class
string petname = Helper.sanitize(Request.Form["petname"]);
// Something like that.
So if the generated pages doesn't sanitize data, why are they used?
What do you mean by "sanitize"? Are you talking about Request Validation to prevent script injection via posting of HTML? If so, the ASP.NET team decided not to include request validation in .NET Core. They feel that automatic encoding of output built into
Razor is enough protection.
.NET forums are moving to a new home on Microsoft Q&A, we encourage you to go to Microsoft Q&A for .NET for posting new questions and get involved today.
Screen every piece of user input on submission (which is what Request Validation did)
HTML encode all rendered output (which is what Razor does)
The .NET Core team opted for the latter approach - reasons are explained in the Github issue I linked to. However, values are not HTML encoded if they are applied to the value attribute of inputs or included within textarea
elements. But any script that appears in those contexts isn't executed, like it would be if it was included elsewhere in an HTML document.
What about an API? Does not some stored data get retrieved via PHP, JAVA, and other languages.
How does the "team" know how the data is handled?
You senior forum members should be trying your best to change that.
The problem is not everyone programming (newbies) knows to protect output. So Joe blow decides he's going to create an api so folks can get some data from his site.
Joe is new to this and folks can of course get data using other languages, are you seeing the problem?
The reason Microsoft stopped supplying the sanitation is that in real life its a difficult problem. Hacker learn every trick to bypass the sanitation. They decided that the false sense of security of a partial solution was worse.
Output encoding prevents simple defacement attacks and hidden script ( one of the most common)
It could be discussed endlessly but it could be worse for beginners: what about those using non latin characters and doing string comparisons. Not sure a developer oriented framework does this by default.
So Joe blow decides he's going to create an api so folks can get some data from his site.
Joe blow could also be saving passwords in plain text in a database, or worse still, attempting to collect and store credit card details in a site that doesn't even run on HTTPS. I've seen it all here.
At least MS try to mitigate XSS by encoding output by default for ASP.NET developers. If people are consuming data from a third party using a different framework, they should do the same. You could just as well attack other web development frameworks for
NOT encoding output by default.
And what about when you want to store HTML? So many sites have Request validation disabled for this very purpose, it's no surprise that MS decided not to bother introducing it back into .NET Core.
Member
25 Points
61 Posts
Is generated code sanitized
May 04, 2020 04:19 AM|jimap_1|LINK
Untouched generated code here:
@page @model pcore31.AddpetModel @{ Layout = null; } <!DOCTYPE html> <html> <head> <meta name="viewport" content="width=device-width" /> <title>Addpet</title> </head> <body> <h4>Pet</h4> <hr /> <div class="row"> <div class="col-md-4"> <form method="post"> <div asp-validation-summary="ModelOnly" class="text-danger"></div> <div class="form-group"> <label asp-for="Pet.PetName" class="control-label"></label> <input asp-for="Pet.PetName" class="form-control" /> <span asp-validation-for="Pet.PetName" class="text-danger"></span> </div> <div class="form-group"> <label asp-for="Pet.Dogpic" class="control-label"></label> <input asp-for="Pet.Dogpic" class="form-control" /> <span asp-validation-for="Pet.Dogpic" class="text-danger"></span> </div> <div class="form-group"> <label asp-for="Pet.Odate" class="control-label"></label> <input asp-for="Pet.Odate" class="form-control" /> <span asp-validation-for="Pet.Odate" class="text-danger"></span> </div> <div class="form-group form-check"> <label class="form-check-label"> <input class="form-check-input" asp-for="Pet.Ocheck" /> @Html.DisplayNameFor(model => model.Pet.Ocheck) </label> </div> <div class="form-group"> <input type="submit" value="Create" class="btn btn-primary" /> </div> </form> </div> </div> <div> <a asp-page="Index">Back to List</a> </div> @section Scripts { @{await Html.RenderPartialAsync("_ValidationScriptsPartial");} } </body> </html>Take for example this line:
Is that asp-for also appling the equal to htmlentities? Or will I have to modify the code and do that myself.
A search I got punching in "<input asp-for" yielded https://docs.microsoft.com/en-us/aspnet/core/mvc/views/tag-helpers/intro?view=aspnetcore-3.1
I searched that page for "encode", "entity", "enti", "santi", "sanitize. No hits at all.
So if the generated pages doesn't sanitize data, why are they used? I normally sanitize the request, but again if I have to sanitize each field, why the auto context instead of individual request?
For example:
Sorry this "generated" code still confuses me.
All-Star
194434 Points
28074 Posts
Moderator
Re: Is generated code sanitized
May 04, 2020 08:48 AM|Mikesdotnetting|LINK
https://github.com/aspnet/BasicMiddleware/issues/64
Member
25 Points
61 Posts
Re: Is generated code sanitized
May 04, 2020 05:55 PM|jimap_1|LINK
if not what good is the code generation?
All-Star
48500 Points
18071 Posts
Re: Is generated code sanitized
May 04, 2020 11:17 PM|PatriceSc|LINK
Hi,
It is done when the value is rendered using Razor: https://docs.microsoft.com/en-us/aspnet/core/mvc/views/razor?view=aspnetcore-3.1#expression-encoding
Or you mean that you want to store HTML encoded strings to your database?
Member
25 Points
61 Posts
Re: Is generated code sanitized
May 05, 2020 01:36 AM|jimap_1|LINK
No I do not want HTML in DB. Okay an example so all will understand.
Example: In php laravel blade, blade applies htmlentities to input.
All I want to know: Does the generated code apply htmlentities?
Escaping on rendering, ????
As a programmer I learned 3 rules:
1. Never trust user input.
2. Never trust user input.
3. Never trust user input.
So if I have to apply htmlentities myself, or a strip tags implementation myself, why does asp.net core even bother having code generators?
Fields need protection at input time also.
Contributor
2690 Points
874 Posts
Re: Is generated code sanitized
May 05, 2020 02:17 AM|Rena Ni|LINK
Hi jimap_1,
For this code,If you apply to using HtmlEntities in php with following code:
It could generate the html:
Does the result what you want?
Best Regards,
Rena
Member
25 Points
61 Posts
Re: Is generated code sanitized
May 05, 2020 04:02 AM|jimap_1|LINK
First in a generated model all you get is this:
The fields are not individually requested.
So in order to "clean" there I'd have to get each field individually something like:
Or in form:
My point and question, is this already being done?
And again, if not, why does asp.net even bother having a code generaator?
Do you realize how many new to .net core don't realize these dangers?
All-Star
194434 Points
28074 Posts
Moderator
Re: Is generated code sanitized
May 05, 2020 08:45 AM|Mikesdotnetting|LINK
The .NET Core team opted for the latter approach - reasons are explained in the Github issue I linked to. However, values are not HTML encoded if they are applied to the value attribute of inputs or included within textarea elements. But any script that appears in those contexts isn't executed, like it would be if it was included elsewhere in an HTML document.
All-Star
48500 Points
18071 Posts
Re: Is generated code sanitized
May 05, 2020 10:49 AM|PatriceSc|LINK
Incoming form fields are not hrml encoded. Razor does this when the value is written to the page.
If you want to implement this a possible approach is to use https://www.stevejgordon.co.uk/html-encode-string-aspnet-core-model-binding
All-Star
53001 Points
23596 Posts
Re: Is generated code sanitized
May 05, 2020 11:27 AM|mgebhard|LINK
I think you are confused but I'm not sure what you are worried about. Can you provide a code example?
As explained several times above, Razor Pages HTML encodes dynamic output. The following code renders as encoded HTML.
public void OnGet() { html = "<h1>Hello World</h1>"; } [BindProperty] public string html { get; set; }@page @model IndexModel @{ ViewData["Title"] = "Home page"; } <div class="text-center"> @Model.html </div>You must opt in to render raw HTML.
<div class="text-center"> @Html.Raw(Model.html) </div>All-Star
58164 Points
15647 Posts
Re: Is generated code sanitized
May 05, 2020 03:09 PM|bruce (sqlwork.com)|LINK
No, unlike old asp.net, asp.net core does not sanitize input data. See this thread for why:
https://github.com/aspnet/BasicMiddleware/issues/64
output is html encoded by default.
Member
25 Points
61 Posts
Re: Is generated code sanitized
May 05, 2020 04:29 PM|jimap_1|LINK
And none of you are the least bit concerned.
output is html encoded by default.
What about an API? Does not some stored data get retrieved via PHP, JAVA, and other languages.
How does the "team" know how the data is handled?
You senior forum members should be trying your best to change that.
The problem is not everyone programming (newbies) knows to protect output. So Joe blow decides he's going to create an api so folks can get some data from his site.
Joe is new to this and folks can of course get data using other languages, are you seeing the problem?
All-Star
58164 Points
15647 Posts
Re: Is generated code sanitized
May 05, 2020 04:58 PM|bruce (sqlwork.com)|LINK
The reason Microsoft stopped supplying the sanitation is that in real life its a difficult problem. Hacker learn every trick to bypass the sanitation. They decided that the false sense of security of a partial solution was worse.
Output encoding prevents simple defacement attacks and hidden script ( one of the most common)
All-Star
48500 Points
18071 Posts
Re: Is generated code sanitized
May 05, 2020 06:45 PM|PatriceSc|LINK
It could be discussed endlessly but it could be worse for beginners: what about those using non latin characters and doing string comparisons. Not sure a developer oriented framework does this by default.
BTW before doing this you could consider also using https://www.troyhunt.com/locking-down-your-website-scripts-with-csp-hashes-nonces-and-report-uri/
All-Star
194434 Points
28074 Posts
Moderator
Re: Is generated code sanitized
May 07, 2020 09:02 AM|Mikesdotnetting|LINK
At least MS try to mitigate XSS by encoding output by default for ASP.NET developers. If people are consuming data from a third party using a different framework, they should do the same. You could just as well attack other web development frameworks for NOT encoding output by default.
And what about when you want to store HTML? So many sites have Request validation disabled for this very purpose, it's no surprise that MS decided not to bother introducing it back into .NET Core.