C# - 文字控制容易受到 XSS 攻击
我正在使用文字在产品页面控件上显示一些 javascript。基本上我正在做的是在我的代码后面声明一个新的字符串构建器,编写脚本,同时插入一些动态变量来填充脚本,然后将文字设置为字符串构建器。这让我很容易受到 xss 攻击。我可以做什么来防止这种情况发生?
编辑。这是字符串生成器的示例。当页面加载时,xss 漏洞会在 javascript 生成后立即发生。
System.Text.StringBuilder sb = new System.Text.StringBuilder();
//loop through items in the collection
for (int i = 0; i < _prod.ActiveProductItemCollection.Count; i++)
{
sb.Append("<script type='text/javascript'>");
//add +1 to each item
sb.AppendFormat("mboxCreate(\"product_productpage_rec{0}\",", i+1);
sb.Append("\"entity.id=" + _prodID + "\",");
sb.Append("\"entity.categoryId=" + _categoryID + "\",");
sb.Append("\"entity.name=" + _prod.ActiveProductItemCollection[i].Title + "\",");
sb.Append("\"entity.pageURL=" + Request.Url.ToString() + "\",");
//The following value has been taken from the productImageControl code behind.
//Might have to refactor in future as a property of the image control.
string filename = AppSettingsManager.Current.ProductImagePathLarge + _prod.ActiveProductItemCollection[i].Sku
+ AppSettingsManager.Current.ProductImageExtension;
sb.Append("\"entity.thumbnailURL=" + filename + "\",");
sb.Append("\"entity.inventory=" + _prod.ActiveProductItemCollection.Count + "\",");
sb.Append("\"entity.value=" + _prod.ActiveProductItemCollection[i].ActualPrice + "\",");
sb.Append("\"entity.ProductItemID=" + _prod.ActiveProductItemCollection[i].Sku + "\",");
sb.Append("\"entity.addToCartImg=~/Images/Buttons/btn_AddToCartFlat.gif\");<");
//The last line has to be /script. < inserted on prev line. do not change it or bad things will happen.
sb.Append("/script>");
}
this.LiteralMBoxScript.Text = sb.ToString();
I'm using a literal to display some javascript on a product page control. Basically what I'm doing is in my code behind I'm declaring a new stringbuilder, writing the script while inserting some dynamic variables to populate the script then setting the literal text to the stringbuilder. This leaves me open to xss attacks. What can I do to prevent this?
EDIT. Here is an example of the stringbuilder. when the page gets loaded the xss vulnerability occurs right after the javascript is generated.
System.Text.StringBuilder sb = new System.Text.StringBuilder();
//loop through items in the collection
for (int i = 0; i < _prod.ActiveProductItemCollection.Count; i++)
{
sb.Append("<script type='text/javascript'>");
//add +1 to each item
sb.AppendFormat("mboxCreate(\"product_productpage_rec{0}\",", i+1);
sb.Append("\"entity.id=" + _prodID + "\",");
sb.Append("\"entity.categoryId=" + _categoryID + "\",");
sb.Append("\"entity.name=" + _prod.ActiveProductItemCollection[i].Title + "\",");
sb.Append("\"entity.pageURL=" + Request.Url.ToString() + "\",");
//The following value has been taken from the productImageControl code behind.
//Might have to refactor in future as a property of the image control.
string filename = AppSettingsManager.Current.ProductImagePathLarge + _prod.ActiveProductItemCollection[i].Sku
+ AppSettingsManager.Current.ProductImageExtension;
sb.Append("\"entity.thumbnailURL=" + filename + "\",");
sb.Append("\"entity.inventory=" + _prod.ActiveProductItemCollection.Count + "\",");
sb.Append("\"entity.value=" + _prod.ActiveProductItemCollection[i].ActualPrice + "\",");
sb.Append("\"entity.ProductItemID=" + _prod.ActiveProductItemCollection[i].Sku + "\",");
sb.Append("\"entity.addToCartImg=~/Images/Buttons/btn_AddToCartFlat.gif\");<");
//The last line has to be /script. < inserted on prev line. do not change it or bad things will happen.
sb.Append("/script>");
}
this.LiteralMBoxScript.Text = sb.ToString();
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
您需要对放入 Javascript 中的任何用户生成的数据进行正确编码。
在 ASP.Net 4.0 中,您可以调用
HttpUtility .JavaScriptStringEncode。在早期版本中,您可以使用Web 保护库。
You need to properly encode any user-generated data that you're putting into the Javascript.
In ASP.Net 4.0, you can call
HttpUtility.JavaScriptStringEncode.In earlier versions, you can use the Web Protection Library.
为了防止 XSS,您可以对值进行 HTML 编码 。
To prevent XSS you could HTML encode the value.
或者,您可以编写 JavaScript 来从页面读取用户提供的数据。这将导致更少的 JavaScript 代码和更快的页面加载。
例如,如果您使用 JQuery,则可以使用 $.Parent() 和 $.Children() 选择器将 DOM 遍历到适当的表单控件,以引用有关循环中特定记录的信息。
这是一个相对简单的示例
这适用于以下 html 示例:
这样做的优点是您不再需要编写将 ID 作为参数的 JavaScript 函数,这意味着您不需要动态生成按钮上的函数,并且可以将它们加载到单独的 JS 文件的标头中。
Alternately, you could write your javascript to read the user supplied data off of the page. This will result in less javascript code, and a faster page load.
If you are using JQuery for example, you can use the $.Parent() and $.Children() selectors to traverse the DOM to the appropriate form controls to reference information about that particular record in the loop.
Here is a relatively simple sample
This would work with the following html example:
The advantage of doing it this way is that you no longer have to write javascript functions that take the ID as a parameter, meaning you don't need to dynamically generate the functions on the button, and can load them in the header in a separate JS file.
好吧,如果只是按字面量编写您自己的脚本,那么您就不会比仅在站点上包含 js 文件更容易受到攻击。另一方面,如果您的脚本中散布着用户提供的任何类型的数据,那么您需要在将数据写入页面之前对其进行清理。
Well, if it is just your own script being written to the literal, you are no more open to attacks than if you simply included a js file on your site. If on the otherhand your script is interspersed with user supplied data of any kind, then you need to sanitize that data before you write it to the page.
如果您使用的是 .NET 4.0,则可以使用
<%: theText %>语法输出该值。If you are using .NET 4.0, you could output the value using the
<%: theText %>syntax.