Just a quick question I was asked to go through a vb app and fix all the places where cross site scripting could happen. I changed the <%= to <%: and everywhere they were putting together html in the code and injected a string I changed to server.htmlencode or server.urlencode accordingly. My question is sometimes they are using htmlwriter. I'm assuming if they use htmlwriter I don't need to worry about cross site scripting as the writer will automtically encode any strings. Is that correct?
htmltextwriter and cross site scripting
1.8k views Asked by Bryan Dellinger At
2
There are 2 answers
1
Bryan Dellinger
On
just tried it sadly it does not protect you from cross site scripting I made an aspx page and in the code behind I put
protected void Page_Load(object sender, EventArgs e)
{
StringWriter stringWriter = new StringWriter();
using (HtmlTextWriter writer = new HtmlTextWriter(stringWriter)) {
writer.RenderBeginTag(HtmlTextWriterTag.Label);
writer.Write(
" < script > alert('.Net and the Terrible, Horrible, No Good, Very Bad Script');</ script > ");
writer.RenderEndTag();
}
Response.Write(stringWriter);
}
I ran the page and the javascript alert popped up so I guess htmltextwriter doesn't protect you from cross site scipting
Related Questions in ASP.NET
- Implementing Azure AD B2C Authentication in .NET 8 Blazor Project (RenderMode: InteractiveAuto)
- Azure Application Insights Not Displaying Custom Logs for Azure Functions with .NET 8
- IIS Rewrite Module exclude bots but allow GoogleBot
- Angular 16 sending null values to API
- I am the domain admin, newbie, how do I connect youtube.com on my domain?
- Dropdown list showing SQLServer2005SQLBrowserUser$DONSERVER instead of Active Directory group name in ASP.NET MVC C#
- ASP.NET Identity, Losing Ability to Login until Application Pool Recycles
- How to unprotect ASP.NET FormAuthentication cookie
- How does it work using ASP.NET FormAuthentication
- What is the purpose of a completely standalone 'this'?
- Is there a way to read .csproj PropertyGroup variable in c#
- MSBuild trying to copy different dll with similar name into project sporadically
- Minimizing IdentityServer4 Round Trips in Microservice Architecture with Ocelot
- Azure AD guest account in web app authentication user claims data
- Receiving 400 bad request on post when customer auth handler is used
Related Questions in VB.NET
- how do i stop system stack overflow in visual basic?
- Finding and Using Camera found in “Imaging Devices” in VB.NET
- Finding a specific colour within a bitmap range - VB.net 2022
- Filtering a double value
- How to call late bound extension method from VB.NET (Framework)
- Accessing a variable from a string
- Calling ToString with a nominated format returns Char rather than String
- Monthly attendance report in Crystal Report
- Progress Bar increment while running
- GetValue for Field contains too many arguments
- Icon of Window form application
- vb.net connection string to a regular google drive
- VB.NET how to check if a form already exists?
- How to get paste to work for pasting in text in a textbox?
- How to convert base64 string to image using vb.net
Related Questions in WEBFORMS
- how do I change a URL with form to include additional selection
- How to unprotect ASP.NET FormAuthentication cookie
- How to add default text in output to filled fields in Contact Form 7
- How does it work using ASP.NET FormAuthentication
- asp JQuery Setting Runtime Variables - undefined
- vb.net shared variable make problem one member can see other member information
- Getting certificate exception in asp.net webforms while sending email by using sendgrid
- Debugging Issues in ASP.NET 4.7.2 Web Forms Deployment on IIS Server After Code Modification
- Global or accesing global variable datetime string dynamically in web form application using Visual Studio 2022
- Web Forms aspx - PostAsync Web API
- How to execute client-side code after ajax FileUpload event on ASP.NET?
- Find Asp.net Web Forms control in script in Js (JavaScript) file
- How to call a method directly that resides in another .aspx.cs or .ascx.cs page within an ASP.NET Web Forms project?
- Exception System.Web.HttpCompileException (0x80004005) error CS0234: The type or namespace name 'Services' does not exist in the namespace 'Cnbp.Cbk'
- Getting parse error in aspx page while trying to load dynamic name to asp:panel ID section
Related Questions in XSS
- How to sanitise request body in spring boot if some attributes contain these values
- Using Content Security Policy to prevent XSS with HTML object/data tag
- Checkmarx DOM XSS Vulnerability flagging JS/jQuery code
- Prevent XSS attack on an application made using outsystems, preventing file upload which has hidden javascript code
- How to fix checkmarx reflected XSS attack in JSP page?
- how to prevent url custom parameters xss attack in WordPress
- XSS scan with python and selenium
- i'm trying to sanitize but it doesn't work
- XSS attack on location map
- How to create "unsafe" environment for JavaScript XSS testing
- Is there still an XSS bug in JQuery1.12.4 when I upgrade my JQuery framework from 1.7.2 to 1.12.4?
- Is it safe to store TwitterAPI access tokens in Session variables?
- Sanitize injected CSS to prevent XSS
- Is this POC a real XSS vulnerability?
- How to preserve rich text formatting in contentNote after escaping HTML characters to prevent XSS attack in salesforce
Related Questions in HTMLWRITER
- How to remove first two columns and hyperlinks from repeater exported excel
- Why doesn't HtmlTextWriter render datetime column?
- Workbook gem - how to write the excel to html in a formatted manner?
- Use anchor tag to open a blank window and write into it
- iText Can you use PdfPTable with HtmlWriter
- htmltextwriter and cross site scripting
- com.lowagie.text.html: HTMLWriter added image is empty
- Javax.swing.text, Lowagie, HTMLWriter adding image (Not from file)
- change thead tags created by HtmlTextWriter
- How to write regex to stop replace character between span or div tags?
- How to write set selected option in a dropdown from c#
- Adding a click event to a dynamic button rendered through a literal
- font tag HTMLWriter
- How do I stop HTMLWriter from writing bad HTML? (using HTMLEditorKit)
- How to make the header font bold while exporting dataset to excel?
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
Popular Tags
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Yes, it does protect you from XSS when writing into a HTML document, however the
HtmlTextWriter.WriteEncodedTextmethod must be used.will output
to the stream.
Note that using
<%:andWriteEncodedTextare only suitable for outputting to a HTML context. They should not be used when outputting into JavaScript:In this context
HttpUtility.JavaScriptStringEncodeshould be used (with<%= %>brackets to prevent incorrectly HTML encoding too). This function also correctly encodes special characters, so if</script>was to be rendered in a script tag in an attempt to close the HTML script tag ready for an XSS attack, it would be rendered as:which is the correct encoding for JavaScript to understand it as
</script>, but without the browser interpreting it as a literal closing script tag. Some naively written JavaScript encoding routines would not convert this because the sequence does not contain\,"or'characters. I just thought I'd mention some of the nuances of preventing XSS for other people finding this post.If you don't make sure that closing script tags are not rendered, then an attack like so is possible
which the renders in the browser as
and the browser will interpret the script tag ending at
alert('</script>and simply execute what is in the new script tag.With the
JavaScriptStringEncodefunction this is safe as it is rendered as:which does not contain
</script>for the browser to interpret.