Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Are HTML textbox value attributes safe from XSS attacks?

Tags:

javascript

html

asp.net

xss

I have a textbox where I want to allow users the ability to type in potentially dangerous characters such as < and > (this is a mathematical expression data entry field which required me to disable ASP.NET validation on the textbox). The data is stored in a database and retrieved later for display on the page. When I display the data in the textbox, I am setting it like this:

textboxA.Text = expression; where expression comes from the database with the potentially dangerous characters.

Anyway, I tried purposely inserting something like < script>alert('hi') < /script> but I can't get this script to execute when the Text property is set (translates to value attribute in client-side HTML. The result looks like:

< input type="text" value="<script>alert('hi')< /script>">>< /input>

So what gives, is the value attribute safe from injections?

Note: The spaces before each tag in the examples is only for StackOverflow because it deletes tags from questions.

like image 413
Justin Skiles Avatar asked Dec 20 '22 22:12

Justin Skiles

1 Answers

To properly insert this code into your site you must understand how your code work. I'm not sure how ASP.net declares input field but as long it doesn't automatically encode special characters then my tip should let you insert code.

If for example this is how code of your input looks like (this is input field for HTML site) where is <?php if (isset($_SESSION['username'])) {echo $_SESSION['username'];} ?> its part of the code that inserts your script back into the HTML page (assuming you are saving value into session and redisplay the value in the textbox)

If you're passing argument back to the form by using the URL:

http://www.website.com/index.php?username="><script>alert('hi')</script>

From

<input type="text" name="username" 
value="<?php if (isset($_SESSION['username'])) {echo $_SESSION['username'];} ?>">

Then the code you want to inject must look like this:

"><script>alert('hi')</script>

Notice "> at the beginning of this code. Basically what it does is to end the value="" by using " tag and then closes input field with >.

So the actual result would be:

<input type="text" name="username" value=""><script>alert('hi')</script>

From there you will be able to insert code such as JavaScript.

like image 113
HelpNeeder Avatar answered Jan 05 '23 03:01

HelpNeeder
Sign in to Comment

Related questions

Generate random number every n second js
How to change date format using jQuery/Javascript?
Can't get the background color using DOM
Does jQuery's css method block until the change is fully applied?
'Cannot set property "innerHTML" of undefined'
How do I send POST in place of PUT or DELETE in Ember?
"replace is not a function"
Grunt.js & uglify is appending uglified code to file instead of rewriting it
Jquery: Unable find elements inside iframe
How to access from 'private method' to 'public variable', in Javascript class
Grunt expand files, what patterns are acceptable in src?
Tooltips are not removed from DOM after destroy event
unable to parse json data that includes a single quote
change div by clicking on same link
Hammer.js is slow and jerky on pinchin/pinchout
Toggle Visibility By Class
skel.js Framework / HTML5UP Template CSS issues
google plus interactive post callback
How does "this" in onClick work?
Prevent reveal.js to zoom

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!