Preventing Javascript and XSS attacks

6
votes

I'm xss-proofing my web site for javascript and xss attacks. It's written in ASP.NET Webforms.

The main part I'd like to test is a user control that has a textbox (tinyMCE attached to it).

Users can submit stories to site by writing in this textbox. I had to set validateRequest to false since I want to get users' stories in HMTL (tinyMCE).

How should I prevent javascript-xss attacks? Since users' stories are HMTL texts, I cannot use Server.HtmlEncode on their stories. In general, what's the safe way to receive HTML content from user, save and then display it to users?

If one user puts malicious code in the textbox and submits it, is there a chance that this could harm other people who view that text?
Thanks.

3
javascriptasp.netxss
good question. i dont think one answer will do justification to the question. on an unrelated side note your captcha is outdated(updated more than two years ago). please try google's recaptcha.naveen
It wouldn't hurt to also prevent SQL Injection attacks.Tim
@naveen: Thanks. I'll upgrade to recaptcha soon.Kamyar

3 Answers

4
votes

If you don't clean what the user puts in the textbox and submits, then yes, there is a chance for harm to be done.

You might want to check out the Microsoft Anti-Cross Site Scripting Library, as it is designed to help developers prevent just such attacks.

Also worth taking a look at is OWASP's Cross-site Scripting (XSS)

You might want to look into HttpUtility.HtmlEncode and HttpUtility.HtmlDecode as well. I just wrote a quick test, and it looks like it might address your concern in the comment below (about how to display the data to other users in the right format):

string htmlString = "<b>This is a test string</b><script>alert(\"alert!\")</script> and some other text with markup <ol><li>1234235</li></ol>";

string encodedString = HttpUtility.HtmlEncode(htmlString);
// result = &lt;b&gt;This is a test string&lt;/b&gt;&lt;script&gt;alert(&quot;alert!&quot;)&lt;/script&gt; and some other text with markup &lt;ol&gt;&lt;li&gt;1234235&lt;/li&gt;&lt;/ol&gt;

string decodedString = HttpUtility.HtmlDecode(encodedString);
// result = <b>This is a test string</b><script>alert("alert!")</script> and some other text with markup <ol><li>1234235</li></ol>

ASP.NET Controls and HTMLEncode I was going to post the information I had from my class, but I found a link that lists the exact same thing (for 1.1 and 2.0), so I'll post the link for easier reference. You can probably get more information on a specific control not listed (or 3.0/3.5/4.0 versions if they've changed) by looking on MSDN, but this should serve as a quick start guide for you, at least. Let me know if you need more information and I'll see what I can find.

ASP.NET Controls Default HTML Encoding

Here's a more comprehensive list from one of the MSDN blogs: Which ASP.NET Controls Automatically Encodes?

3
votes

I would go with storing it encoded in database, then when showing Decode it and replace only the < with &lt; if you say you need to preserve other things.

As far as I know, if you replace the < XSS is not really possible as any JS code must be inside <script> tags to be executed and by replacing, you'll get this in the HTML source: &lt;script> and the user will see <script> on the screen as the browser will parse the &lt; entity.

This said, if you allow users to post "raw" HTML e.g. <b>this section is bolded</b> then you'll have to create "white list" of allowed tags then manually replace the &lt; with the proper HTML for example:

string[] allowedTags = new string[] { "a", "b", "img" };
foreach (allowedTag in allowedTags)
   output = output.Replace("&lt;" + allowedTag, "<" + allowedTag);
1
votes

Have you seen the OWASP guide on this

The best way would be to have an white list of allowed tags instead of a trying to come up with a way to prevent all script tags.

One solution on how to do this is here How do I filter all HTML tags except a certain whitelist? But you also need to be aware people might have a link to external script via an image tag with a URL to their own server. See examples here http://ha.ckers.org/xss.html of the different types of attacks you need to defend against