Just a quick question I was asked to go through a vb app and fix all the places where cross site scripting could happen. I changed the <%= to <%: and everywhere they were putting together html in the code and injected a string I changed to server.htmlencode or server.urlencode accordingly. My question is sometimes they are using htmlwriter. I'm assuming if they use htmlwriter I don't need to worry about cross site scripting as the writer will automtically encode any strings. Is that correct?
htmltextwriter and cross site scripting
1.8k Views Asked by Bryan Dellinger At
2
There are 2 best solutions below
1
Bryan Dellinger
On
just tried it sadly it does not protect you from cross site scripting I made an aspx page and in the code behind I put
protected void Page_Load(object sender, EventArgs e)
{
StringWriter stringWriter = new StringWriter();
using (HtmlTextWriter writer = new HtmlTextWriter(stringWriter)) {
writer.RenderBeginTag(HtmlTextWriterTag.Label);
writer.Write(
" < script > alert('.Net and the Terrible, Horrible, No Good, Very Bad Script');</ script > ");
writer.RenderEndTag();
}
Response.Write(stringWriter);
}
I ran the page and the javascript alert popped up so I guess htmltextwriter doesn't protect you from cross site scipting
Related Questions in ASP.NET
- Create an IIS web request activity light
- Writing/Overwriting to specific XML file from ASP.NET code behind
- What is the point of definnig Asp.net Intrinsic Objects In different places and what is the different betwen them?
- Deleting Orphans with Fluent NHibernate
- IOrderedEnumerable to vb.net IOrderedEnumerable Conversion
- Entity Framework Code First with Fluent API Concurrency `DbUpdateConcurrencyException` Not Raising
- Getting deeply embedded XML element values
- What is best way to check if any of the property of object is null or empty?
- NuGet - Given a type name or a DLL, how can I find the NuGet package?
- ASP-MVC Code-first migrations checkbox not active
- How do i add onclient click to my jquery button
- Jquery: Change contents of <select> tag dynamically
- Retrieving data from Oracle database
- ASP.NET: Fill Textbox field upon dropdownlist selection by user
- Why web API return 404 when deploy to IIS
Related Questions in VB.NET
- If...Then...Else Visual Basic 2012
- Detecting whether a mouse button is down in vb.net
- IOrderedEnumerable to vb.net IOrderedEnumerable Conversion
- vb.net Get PrivateMemorySize64 and process id sort by memory size
- Cannot insert values into database
- check validation of an expression with Regex
- VB.NET KeyNotFoundException from String()
- How do i display data that are in between 2 values in a DDL?
- VB.net: How to make original variable value fulfill 2 statements?
- Login form by using a new database, made in VB
- Get Text from listbox in VB.net
- error handing for uploading large size file
- XML Null Element Visual Basic
- Using chart and tooltip
- vb2010 Express - Operator '=' is not defined
Related Questions in WEBFORMS
- Writing/Overwriting to specific XML file from ASP.NET code behind
- Cannot find InvalidCastException in C# Application
- Read Hyperion Planning webform XML with VBScript
- ASP.NET Web Forms give error while connecting to Oracle 11g
- Most effective way to bind data models in WebForms without stored procedures?
- change loginpath for specific user, ASP.Net, webforms
- How to pass data from MVC Controller to ASPX Page?
- ASp.Net Identity Role manager
- ASP.NET Webforms project is reading from a web.config in a completely different solution on my PC when debugging
- popup login asp.net webform project with database code
- InnerHtml of div is always empty
- RadioButtonList value is null
- How to style asp.net menu control with responsive bootstrap css
- Getting the session ID causes the user to logout
- how to stop viewstate going stale?
Related Questions in XSS
- How to make a bookmarklet that executes functions in multiple pages without clicking again?
- XSS attack in wordpress?
- Spring MVC : Preventing Exceptions when binding model attribute
- XSS prevention and .innerHTML
- use of string in place of URL (in anti XSS)
- Does HTML Encoding have any cons?
- XSS in angularjs app and web api 2
- How to show the content from RichTextArea.getHMTL() in a div properly?
- jquery xss prevention when using html()
- Is it safe to rely on Content-Type: text/plain to mitigate malicious javascript execution in response?
- what is this usage of alert in javascript?
- Handling of character references in an embedded SVG's script tags
- XSS attack with querystring tampering generates exception
- Javascript form validation highlight invalid character
- ESAPI.validator().getValidInput returning "null" value
Related Questions in HTMLWRITER
- Adding a click event to a dynamic button rendered through a literal
- How to write set selected option in a dropdown from c#
- How to remove first two columns and hyperlinks from repeater exported excel
- change thead tags created by HtmlTextWriter
- Javax.swing.text, Lowagie, HTMLWriter adding image (Not from file)
- How to write regex to stop replace character between span or div tags?
- How to do do HtmlTextWriter.WriteAttribute with a single quote?
- Use anchor tag to open a blank window and write into it
- iText Can you use PdfPTable with HtmlWriter
- com.lowagie.text.html: HTMLWriter added image is empty
- Workbook gem - how to write the excel to html in a formatted manner?
- How do I stop HTMLWriter from writing bad HTML? (using HTMLEditorKit)
- htmltextwriter and cross site scripting
- font tag HTMLWriter
- How to make the header font bold while exporting dataset to excel?
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
Yes, it does protect you from XSS when writing into a HTML document, however the
HtmlTextWriter.WriteEncodedTextmethod must be used.will output
to the stream.
Note that using
<%:andWriteEncodedTextare only suitable for outputting to a HTML context. They should not be used when outputting into JavaScript:In this context
HttpUtility.JavaScriptStringEncodeshould be used (with<%= %>brackets to prevent incorrectly HTML encoding too). This function also correctly encodes special characters, so if</script>was to be rendered in a script tag in an attempt to close the HTML script tag ready for an XSS attack, it would be rendered as:which is the correct encoding for JavaScript to understand it as
</script>, but without the browser interpreting it as a literal closing script tag. Some naively written JavaScript encoding routines would not convert this because the sequence does not contain\,"or'characters. I just thought I'd mention some of the nuances of preventing XSS for other people finding this post.If you don't make sure that closing script tags are not rendered, then an attack like so is possible
which the renders in the browser as
and the browser will interpret the script tag ending at
alert('</script>and simply execute what is in the new script tag.With the
JavaScriptStringEncodefunction this is safe as it is rendered as:which does not contain
</script>for the browser to interpret.