-
-
Notifications
You must be signed in to change notification settings - Fork 353
Security Considerations
When can you trust what someone enters into the text fields of your Blocks? Almost never. For the most part, you really need to concern yourself with those blocks that will be on the external website. These blocks will be under attack and nefarious script-kiddies will be attempting to inject HTML and other cross-script code (XSS) to cause maximum havoc. Want to understand XSS more? Read this article.
"Many times the hacker will use the ‘comments’ feature of your web page to insert a comment that contains a script. Every user who views that comment will download the script which will execute on his browser, causing undesirable behaviour."
from Cross Site Scripting – XSS – The Underestimated Exploit
This is such a serious threat that Google will pay you $7k if you find one in their code.
Now that you understand the serious nature of the problem, continue reading to find out what you need to do.
According to MSDN best practices, encoding should only happen just prior to being sent to the browser:
Q. Can I encode the input and store it in a data store?
A. No, encoding should be performed just before the input is sent to the browser and if input is encoded using HtmlEncode then it cannot be used in other contexts such as JavaScript or Url etc.
Therefore, depending on the scenario, either scrub using the SanitizeHtml(bool strict)
string extension method or encode using HttpUtility.HtmlEncode( string )
after retrieving data from an Entity.
The following table illustrates the effect using each approach:
Input | SanitizeHtml(false) | SanitizeHtml(true) | HtmlEncode |
---|---|---|---|
<b>bold</b> |
<b>bold</b> |
|
<b>bold</b> |
Hi, I'm Joe. |
Hi, I'm Joe. |
Hi, I'm Joe. |
Hi, I'm Joe. |
It's "Good" & safe |
It's "Good" & safe |
It's "Good" & safe |
It's "Good" & safe |
<img src="foo"> |
<img src="foo" /> |
|
<img src="foo"> |
<script>alert('bad')</script> |
|
|
<script>alert('bad')</script> |
<div onclick="alert('xss')">Clickable Content</div> |
<div>Clickable Content</div> |
|
<div onclick="alert('xss')">Clickable Content</div> |
There may be certain cases where you've decided that it's quite safe to encode or sanitize before the data is saved, but be warned if you're not 100% correct you could end up with various encoding problems. For example, consider the following scenario where input was encoded before being saved to the entity/database and then again encoded (as usual) before being displayed:
Input | Encoded Before Save (renders as) | Encoded Again, Before Display (renders as) |
---|---|---|
Not "Good" |
Not "Good" (Not "Good") |
Not &quot;Good&quot; (Not "Good") |
Also note that depending on how you bind your data to controls, you may need to encode like so:
<!-- OK -->
<asp:Repeater ID="rptTest1" runat="server">
<ItemTemplate>
<%#Server.HtmlEncode((string)Eval("FieldName"))%>
</ItemTemplate>
</asp:Repeater>
<!-- Also OK -->
<asp:Repeater ID="rptTest2" runat="server">
<ItemTemplate>
<asp:TextBox ID="txtFieldName" Text='<%# Bind("FieldName") %>'
runat="server"></asp:TextBox>
</ItemTemplate>
</asp:Repeater>