Menu
I have the following code:
label x = txtName.Text;
When the security team analyzed the dll they said it was possible to perform an XSS attack on the above code. I know the textbox Text property does not prevent an XSS attack, so what should I do now?
Will the following amendment resolve the issue?
label x = Server.HtmlEncode(txtName.Text);
276
I am assuming you are talking about a WebForms Label - it is not clear from the question (post real code!)
This is a problem with the design of ASP.NET WebForms. Many elements have a property called Text, but the property does different things depending on the element.
You would hope that setting Text on a control would set its plain textual content. This safe operation is what the name would seem to imply. And that is the case on these controls:
Unfortunately, on a bunch of other controls, the property of the same name actually sets the HTML markup in the element. So if you have a text string with <b> in it, you get some bold text instead of the letter b in some angle brackets. And if the text has strings such as <script> in it, code will be executed on the browser, resulting in security problems.
Some of these unfortunate unsafe controls are:
To use these safely, you must HTML-encode all content you write to the Text property.
Finally there is one control that swings both ways:
By default this sets HTML markup (boo!), but if you set the Mode="Encode" property, it sets text instead.
This is of course all very confusing and no way to design a web framework, but that's what we've got to work with.
154
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
