asp.net mvc - Prevent XSS attacks and still use Html.Raw -

-

i have cms system using ck editor enter data. if user types in <script>alert('this bad script, data');</script> ckeditor fair job , encodes correctly , passes &lt;script&gt;alert(&#39;this bad script, data&#39;)&lt;/script&gt; server.

but if user goes browser developer tools (using inspect element) , adds inside shown in below screen shot when trouble starts. after retrieving db when displayed in browser presents alert box.

edit ckeditor contents thru inspect element

so far have tried many different things 1 them

  • encode contents using antixssencoder [httputility.htmlencode(contents)] , store in database , when displaying in browser decode , display using mvchtmlstring.create [mvchtmlstring.create(httputility.htmldecode(contents))] or html.raw [html.raw(contents)] may expect both of them displays javascript alert.

i don't want replace <script> manually thru code not comprehensive solution (search "and encoded state:").

so far have referred many articles (sorry not listing them here adding few proof show have put sincere efforts before writing question) none of them have code shows answer. may there easy answer , not looking in right direction or may not simple @ , may need use content security policy.

asp.net mvc html.raw antixss protection is there risk in using @html.raw? http://blog.simontimms.com/2013/01/21/content-security-policy-for-asp-net-mvc/ http://blog.michaelckennedy.net/2012/10/15/understanding-text-encoding-in-asp-net-mvc/

to reproduce saying go *this url , in text box type <script>alert('this bad script, data');</script> , click button.

*this link michael kennedy's blog

it isn't easy , don't want this. may suggest use simpler language html end user formatted input? markdown (i believe) used stackoverflow. or 1 of existing wiki or other lightweight markup languages?

if allow html, suggest following:

  • only support fixed subset of html
  • after user submits content, parse html , filter against whitelist of allowed tags , attributes.
  • be ruthless in filtering , eliminating aren't sure about.

there existing tools , libraries this. haven't used it, did stumble on http://htmlpurifier.org/. assume there many others. rick strahl has posted 1 example .net, i'm not sure if complete.

about ten years ago attempted write own whitelist filter. parsed , normalized entered html. removed elements or attributes not on allowed whitelist. worked pretty well, never know vulnerabilities you've missed. project long dead, if had on have used existing simpler markup language rather html.

there many ways users inject nasty stuff pages, have fierce prevent this. css can used inject executable expressions page, like:

<style type="text/css">body{background:url("javascript:alert('xss')")}</style>

here page list of known attacks keep @ night. if can't filter , prevent of these, aren't ready untrusted users post formatted content viewable public.

right around time working on own filter, myspace (wow i'm old) hit xss worm known samy. samy used style attributes embedded background url had javascript payload. explained author.

note example page says:

this page meant accept , display raw html trusted editors.

the key issue here trust. if of users trusted (say employees of web site), risk here lower. however, if building forum or social network or dating site or allows untrusted users enter formatted content viewable others, have difficult job sanitize html.


Comments

Post a Comment

Popular posts from this blog

php - Zend Framework / Skeleton-Application / Composer install issue -

-
i trying create zend framework application using skeleton in netbeans. when run composer install, following error message: "c:\php\php.exe" "c:\composer\composer.phar" "--ansi" "--no-interaction" "update" "--dev" using deprecated option "dev". dev packages installed default now. loading composer repositories package information updating dependencies (including require-dev) requirements not resolved installable set of packages. problem 1 - package requires php >=5.5 php version (5.4.42) not satisfy requirement. problem 2 - installation request zendframework/zendframework 2.5.1 -> satisfiable zendframework/zendframework[2.5.1]. - zendframework/zendframework 2.5.1 requires php >=5.5 -> php version (5.4.42) not satisfy requirement. done. apparently, zend framework only needs php 5.3+ contradicts above. need use php 5.4. my composer.json following: { "name": "
Read more

c# - Better 64-bit byte array hash -

-
i need hash algorithm produces 64-bit hash code ( long ) fewer collisions string.gethashcode() , fast (no expensive calls cryptographic functions). here's implementation of fnv still shows 3% of collisions after testing 2 million random strings. need number way lower. void main() { const string chars = "abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz!#@$%^&*()_+}{\":?><,./;'[]0123456789\\"; const int n = 2000000; var random = new random(); var hashes = new hashset<long>(); int collisions = 0; for(int = 0; < n; i++) { var len = random.next(chars.length); var str = new char[len]; (int j = 0; j < len; j++) { str[j] = chars[random.next(chars.length)]; } var s = new string(str); if(!hashes.add(get64bithash( s ))) collisions++; } console.writeline("collision percentage after " + n + " random strings: " + ((doubl
Read more

python - PyCharm Type error Message -

-
i'm newbie trying out ml/dbn in python (3.4) under pycharm (comm.ed 4.5). following definition def make_thetas(xmin,xmax,n): xs = np.linespace(xmin,xmax,n) widths = (xs[1:] - xs[:-1])/2.0 thetas = xs[:-1] + widths return thetas throws error "class 'tuple' not define ' sub ', '-' operator cannot used on instance" on - operator on third line (widths = ....) ideas on how code running under pycharm - works alright in interactive python window. thx. to all, after g'g lot have found workaround seems work within pycharm. workaround because (even python newbie) expected python not need explicit typecasting, not when using datatypes imported lib such numpy. def make_thetas(xmin,xmax,n): xs = np.array(np.linspace(xmin,xmax,n)) widths = (xs[1:] - xs[:-1])/2.0 thetas = xs[:-1]+ widths return thetas using docstrings type-hinting such below did not work def make_thetas(xmin,xmax,n): "&q
Read more