I am developing web application on ASP.NET and I am getting textarea input from users and later display this input on website. While saving input into database I am not encoding input and directly write them into db.
If input contains "enter" I don't want to lose line breaks. So I am replacing data like that:
Replace("\r\n", "<br />")
And to prevent XSS attack before displaying I am encoding data using Microsoft's AntiXSS library's Microsoft.Security.Application.Encoder.HtmlEncode function.
This function also encodes "<br/>" and on screen I don't have any line break.
If I encode first with AntiXSS and then replace "\r\n" with "<br/>" I am not getting any line break as well, since AntiXSS I think removes "\r\n".
If I use Server.HtmlEncode and then replace "\r\n" with "<br/>" then everything is fine. But I want to use AntiXSS library and I don't know how to achieve this.
Is there any way to print line breaks using AntiXSS HtmlEncode function?
Thanks
Related
Looking at an old ASP file, I am trying to figure out what would the best practice be in achieving the following:
I am receiving a string through a database connection.
This string is the displayed part of a select box.
I am required to output this string using Server.HTMLEncode(string).
However, since there are spaces in that string I get the output as .
What would the best practice be in converting back into actual whitespace?
To replace with whitespace in classic ASP I used the following code:
<%= Replace(Server.HTMLEncode(string)," "," ") %>
Where string is the variable that contains .
I am trying to figure out an issue in my Classic ASP application, whenever a user tries to copy text from Microsoft word into Textarea placeholder & save, it is stored in the Database as a??.
I tried replacing special character like single quote using following statement
Replace(Trim(Request.Form("Description")),chr(39), "'")
Replace(Trim(Request.Form("Description")),chr(39), "'")
Both the above statements didn't work. It was able to find special character-single quote when I type in & replaced it with ' when I use 2nd statement but for some weird reason it doesn't still work for Copy paste from Microsoft word.
Because word uses character 145 rather than 39,
So your code should be
Replace(Trim(Request.Form("Description")),chr(145), "'")
I have a general question. Should we normally sanitize the SMS text command that the user inputs via their phone for which we send the response? If yes should we sanitize right away i.e. as soon as it comes? Any ideas for the ways that this can be done in asp.net V4.5/MVC?
I am using Twilio. Does Twilio Helper have any APis to do this?
Should we normally sanitize the SMS text command that the user inputs via their phone for which we send the response?
I'm assuming you mean "send to the response", as in Response object in ASP.NET?
Like all input to your application, you should properly encode it when output to the response. You can usually store it in raw, unencoded format in your database, but if this is output to HTML or JavaScript then it should be encoded properly.
e.g. If the " character is output into HTML, then you should encode this as " at the point of output. In MVC, this is automatically done by Razor using the #variable syntax. In classic MVC, the syntax is <%: variable%> (never use <%=variable%> as this will not encode).
If output to JavaScript then it should be hex entity encoded, so " becomes \x22. You can do this in MVC using #Html.Raw(HttpUtility.JavaScriptStringEncode(variable)) (this example is using Razor).
Check out the OWASP XSS Prevention Cheat Sheet for tips on how to encode correctly depending on output context.
This is the strangest thing and I can not figure out how this is happening. Some how a user on my asp.net website is creating a multiline string but is not using the normal carriage return or linefeed.
I have tried to figure out how this is being accomplished.
It is a multiline textbox and when you press enter it goes to a new line.
In the aspx code I am using the following code to break the string into an array and count the lines in the array.
Dim text as String = txtMessage.Text.Trim
Dim Array as String() = text.split(vbNewLine)
Return Array.Length
I most normal situations when there is a line wrap it goes to the next line a CR/LF is entered and the code will break the string into a new line. Also pressing enter creates a new line and the split function works separating the lines and creates the dimensional array based on number of lines.
There is just one user that is some how creating a new line using a nonstandard CRLf. It is causing the split by vbnewline to not catch and break the string into an array. I have never seen this happen before.
I'm not asking how to fix this. I think I have a good idea how to keep this from happening by doing additional checks on the string through regex.
I am just completely puzzled as to how this is happening. If you have seen this before or have an idea of how this is accomplished then I would love to hear your thoughts.
Here are things I have tried: Inserting HTML into the string( didn't work )
: manually adding line breaks in the string such as \r, and using Hex codes to confuse the split function (didn't work)
:Injecting Script into the string(didn't work)
:Used access and excel to create strings without using a standard CRLF and copy and pasting (didn't work).
I have 5 yrs coding experience and am completely intrigued. Can you solve this?
What OS are you on? VbNewline is platform-dependent -- if your server is on Windows, that means \r\n. Since you're producing a web application, it's possible that not all of your users are on Windows -- and different OSes record line breaks differently -- they could well be VbCrLf (\r\n), VbLf (\n), or VbCr (\r), depending on whether your user is on Windows, Linux, or Mac respectively. You'll have to detect which one the user is transmitting and split your array on the appropriate combination of characters.
This answer from Karl Nicoll has more useful information for a user who experienced a very similar problem.
We have taken over a .NET project recently and upon looking at the db we have the following in some columns:
1) Some columns have values such as
" & etc etc
2) Some have <script> tags and other non html encoded tags
This data is displayed all over the site. When trying out HtmlEncoding on point number 1 we get the following " -> "
Obviously we are wanting to htmlencode when displaying as point 2 contains javascript which we don't want executed.
Is there a way to use HtmlEncoded on values that might or might not be already encoded?
Is there a way to use HtmlEncoded on values that might or might not be already encoded?
No there isn't.
What i would suggest is that you write a quick script that goes through the database and unencode the already encoded data. Then use something like the Microsoft AntiXSS library (tutorial here) to encode all output before it gets output to the web page. Remember that it is fine to store the data unencoded1, the danger is when you echo it back out to the end user.
Some controls already encode output using encode functionality built into the .Net framework - which is not bulletproof to XSS - you just have to either avoid using those controls or just not encode the data displayed by them. There is a FAQ question pertaining to the MS controls that encode at the bottom of the page for the first link which you should read. Also some third party control vendors encode the output of their controls, you would do yourself a favor if you test them to make sure they are not still susceptible to XSS.
1Don't forget to take steps to prevent SQL injection though!
Before applying HtmlEncode( "myText" ) use HtmlDecode method to the input text.
That way you will decode your string from:
& quot; & amp; etc etc < script>
to
" & etc etc < script>
and afterwards apply encode "from scratch".