cross-site scripting attacks

ALX

Well-known member
Joined
Nov 16, 2005
Messages
232
Location
Columbia, SC
Programming Experience
10+
I've been going back & forth on the issue of user input validation as far as protecting my MVC site from xss attacks. I'm using VS2019 with .NET 4.8. The app includes a very simple feedback forum with user input for Name, EMail & Comments. From the controller, existing database data is sent as a datatable (dt1) to the View in the Viewbag. A simplified version of the code in the View involves a table for displaying existing posts as:

VB.NET:
<table>

    @for (int j = ViewBag.dt1.Rows.Count - 1; j >= 0; j--)

    <tr>

        <td>@ViewBag.dt1.Rows[j][0]</td>    @*UserName*@

        <td>@ViewBag.dt1.Rows[j][2]</td>     @*Date*@

        <td>@ViewBag.dt1.Rows[j][1]</td>    @*email (Displayed as "******")*@

        <td>@ViewBag.dt1.Rows[j][3]</td>    @*Text*@

    </tr>

</table>

And the current user's input is accepted in textboxes and a textarea as:


VB.NET:
 @Html.TextBoxFor(m => m.UserName1 ... etc.

    @Html.TextBoxFor(m => m.EMail2 ...

    @Html.TextAreaFor(m => m.Text1 ...

By disabling validation and without using any additional XSS protection schemes, I have been unable to enter any input that would be rendered as active HTML. Everything I input; <script>alert("XSS attack")</script> etc is rendered as plain text, which is exactly what I want. There is no need to allow HTML in any of the input fields. In spite of the fact that it works perfectly as is, I have been warned by many that I still need to sanitize the input. OK, fine...

With AntiXSS and other encoders as well, an apostrophe is displayed in the table as &#39 so if the user enters "Sam's" it gets displayed as Sam&#39s. That and a few other encoding examples are simply not acceptable, so I've been tossing aound the idea of creating my own little blacklist... Say maybe a small procedure in the Model to alter certain characters and remove others...


VB.NET:
 public string CleanText(string Text)

        {

            Text = Text.Replace((char)39, (char)700);        //    Swap apostrophe with modifier letter apostrophe

            Text = Text.Replace((char)60, (char)32);        //    Get rid of angle brackets

            Text = Text.Replace((char)62, (char)32);

        ...


            return Text;

        }

I would greatly appreciate any critique & guidance here. If this blacklist approach could work, I'd be thankful for more character suggestions that need to be modified.
 
Last edited:

ALX

Well-known member
Joined
Nov 16, 2005
Messages
232
Location
Columbia, SC
Programming Experience
10+
After many hours of messing with various HTML encoders, trying to get my web site to display user input correctly, I've come to the conclusion that VS2019 is already HTML.encoding the user input as the default. If this is true, why on earth would the default arrangement be throwing an exception when any potentially dangerous user input was received.
 
Top Bottom