In ASP.NET 4.5, how should I encode a string to be used as a JavaScript variable, to prevent XSS attacks -

-

i know of several ways this, have downside. there "accepted" way of doing it, considered best?

i used use microsoft.security.application.antixss.javascriptencode() great, antixss has been end-of-lifed because encoder included in .net of 4.5.

however, reason, system.web.security.antixss.antixssencoder doesn't include javascriptencode method.

there's system.web.httputility.javascriptstringencode(), uses blacklist method encoding, it's unlikely whitelist encoder.

and i've seen recommendations use system.web.script.serialization.javascriptserializer.serialize(), calls httputility.javascriptstringencode().

so what's best accepted, whitelist method encoding values written out js variables?

if wish include javascript code within <script> block this:

<script> var myvariable = '<%=thisiswrong %>'; </script>

then in context httputility.javascriptstringencode should used. function correctly encodes special characters, if </script> rendered in script tag in attempt close html script tag ready xss attack, rendered as:

\u003c/script\u003e

which correct encoding javascript understand </script>, without browser interpreting literal closing script tag. naively written javascript encoding routines not convert because sequence not contain \, " or ' characters.

if don't make sure closing script tags not rendered, attack possible. imagine input application:

</script><script>alert(1)</script>

which renders in browser as

<script type="text/javascript">  alert('</script><script>alert(1)</script>');  </script>

and browser interpret script tag ending @ alert('</script> , execute in new script tag.

with javascriptstringencode function safe rendered as:

<script type="text/javascript">  alert('\u003c/script\u003e\u003cscript\u003ealert(1)\u003c/script\u003e');  </script>

which not contain </script> browser interpret.

there's system.web.httputility.javascriptstringencode(), uses blacklist method encoding, it's unlikely whitelist encoder.

some of other encoding functions in .net use blacklist methods, in own testing javascriptstringencode seems ample.

the owasp recommendation javascript is

except alphanumeric characters, escape characters less 256 \xhh format prevent switching out of data value script context or attribute.

so write own comply this.

note if want include code in attribute tags:

<a href="http://example.com" onclick="alert('<%=wrong>')">click</a>

then owasp method means don't have take care of html encoding (because no html characters special meaning output). without (e.g. javascriptscriptencode) need html encode too.

having said this, safer way approach answer question secure way of inserting dynamic values in external javascript files. use data- attributes place dynamic values in dom (in html) , use javascript extract these values. prevent javascript encoding headaches.


Comments

Post a Comment

Popular posts from this blog

python - TypeError: start must be a integer -

-
i trying draw 5 turtles, getting typeerror on line 25. here code: import turtle wn = turtle.screen() redrose = turtle.turtle() color = input("what background color be?") fillcolor_f = input("what color of rose be?") redrose.hideturtle() redrose.speed(30) redrose.penup() redrose.left(180) redrose.forward(175) redrose.right(90) redrose.forward(30) redrose.right(90) redrose.pendown() def drawrose(red): redrose.color("pink") redrose.fillcolor(fillcolor_f) redrose.fill(true) in range(red): redrose.forward(i) redrose.right(49) in range(5): drawrose(redrose) redrose.penup() redrose.forward(350) redrose.right(144) redrose.pendown() redrose.fill(false) drawrose(50) wn.bgcolor(color) i trying draw 5 roses, produces errors. doing in interactivepython.org. you recursively calling drawrose wrong parameter. on line 23 ( for in range(red): ) expect red integer...
Read more

c# - DevExpress RepositoryItemComboBox BackColor property ignored -

-
i have following code almost works properly; private void cbstatus_drawitem(object sender, listboxdrawitemeventargs e) { string item = e.item string; if (item != null) { switch (item) { case "1": e.appearance.forecolor = color.green; e.appearance.backcolor = color.green; break; case "2": e.appearance.forecolor = color.orange; e.appearance.backcolor = color.orange; break; case "3": e.appearance.forecolor = color.red; e.appearance.backcolor = color.red; break; } } } when dropdown shown, items forecolor correct, backcolor remains whatever backcolor of theme is; i.e. if i've got set dark theme, backcolor dark, cells in gridview, rather being green/orange/red. i've tried setting e.appearance.options.usebackcolor trying set e....
Read more

django - Creating multiple model instances in DRF3 -

-
1) create multiple model instances 1 api call, asked here: how create multiple model instances django rest framework? tried solution named in link, no success. i trying upload multiple files in 1 api call. result: files uploaded (only once overwrote perform_create) 1 instance created (if send 2 files, latter created instance). my code: class fileuploadserializer(serializers.modelserializer): def __init__(self, *args, **kwargs): many = kwargs.pop('many', true) super(fileuploadserializer, self).__init__(many=many, *args, **kwargs) class meta: model = fileupload read_only_fields = ('created', 'datafile', 'owner') class fileuploadviewset(viewsets.modelviewset): queryset = fileupload.objects.all() serializer_class = fileuploadserializer parser_classes = (multipartparser, formparser, ) def perform_create(self, serializer): file_list = self.request.data.getlist('file') ...
Read more