We are currently dealing with some XSS issues on one of our ASP.NET MVC projects. I found two issues - the first one has to do with our request validation pattern. The attacker could now use this security hole to drop some bad content in our database.
The second issue is how we display this content and we use the Html.DisplayTextFor method and it seems to be "broken".
Just create a new MVC 3 WebApp, put this in the HomeController:
public class HomeController : Controller
{
public ActionResult Index()
{
ViewBag.Message = "<SCRIPT/XSS SRC=\"htpp://ha.ckers.org/css.js\">";
User foo = new User();
foo.Name = "<SCRIPT/XSS SRC=\"htpp://ha.ckers.org/css.js\">";
return View(bla);
}
public ActionResult About()
{
return View();
}
}
public class User
{
public string Name { get; set; }
}
The View:
@Html.TextBoxFor(m => m.Name) <br/> ||| <-- will be encoded
@Html.Encode(ViewBag.Message)<br/> ||| <-- will be double encoded
@Model.Name <br/> ||| <-- will be encoded
@Html.DisplayTextFor(m => m.Name) <-- no encoding
<br/> |||
Output of the DisplayTextFor will be the whole string <script xss="" src="htpp://ha.ckers.org/css.js">
Question is: Bug, feature or am I using it wrong?
Html.DisplayTextFor
is really for interacting with the [DisplayFormat]
attribute (see MSDN).
So if you're using it with unsafe values, you have to be aware of this and use [DisplayFormat(HtmlEncode = true)]
on your property.
Edit: Looks like the HtmlEncode property isn't actually enforced by DataAnnotationsModelMetadataProvider (and DisplayTextFor).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With