locked
How to prevent script injections at page level ? RRS feed

  • Question

  • User435591045 posted

    Hi,

    I am using .net 3.5 for my web application. In page heading to prevent script executiongs i am using ValidateRequest="false". Along with that for all fields I need to do use Server.HtmlEncode as Server.HtmlEncode(strText); in code behind.

    I don't want to user Server.HtmlEncode for each field in all pages. So please let me know is there any page level directive as alternative for Server.HtmlEncode to prevent script injections.

    Harsha.

    Tuesday, October 16, 2012 5:54 AM

Answers

  • User-742633084 posted

    Hi harshaprakashst,

    So your main concern is to find a way to centralize the "Server.HtmlEncode" converting code logic instead of repeating it in every page and every textbox control, right?

    Here are some options you can consider:

    1) You can build a custom Label control (derive from built-in label) and inject your HTML encode logic in its rendering method. Then, for the pages which need to display potential dangerous text, you use this custom label control instead.

    2) You can also build a custom page class and override its OnPrerender method. In the ONPreRender method, you can programmtically find all the Label Control ( from Page's Controls collection recursively) and then HtmlEncode the Text property. And for those pages you want to apply the htmlencode processing, you need to use this customm derived page class in the code-behind.

    3) Another possible means is that you always perform HtmlEncode first before such text data store into DB. Thus, those text are by default in html encoded format, and you only need to use HtmlDecode on them in case you want to render the actual markup or script content.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, October 16, 2012 10:04 PM
  • User435591045 posted

    At last I got the solution. Tbl.Dispose() did that tric. :-)

    Any how thanks a lot.

    Harsha

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, October 24, 2012 8:30 AM

All replies

  • User-837620913 posted

    You can enable validation for your entire site in the web.config, like this:

    <configuration>
       <system.web>
          <pages validateRequest="true" />
       </system.web>
    </configuration>

    You can disable validation for each page in the page directive, like this:

    <%@ Page validateRequest="false" %> 

    To meet your requirements, I would enable validateRequest in the web.config and then set validateRequest to false for certain pages that need to allow input.

    If you want to automatically HtmlEncode output, use the ASP.NET automatic binding syntax, like this:

    <%: Model.SomeProperty %> <!-- this is automatically Html Encoded! -->

    For more on the <%: binding syntax, see this blog post: http://weblogs.asp.net/scottgu/archive/2010/04/06/new-lt-gt-syntax-for-html-encoding-output-in-asp-net-4-and-asp-net-mvc-2.aspx



    Tuesday, October 16, 2012 6:12 AM
  • User435591045 posted

    Darrell Norton Thank you very  much for quick reply. I am really sorry, if my question was not clear.

    I am already using validateRequest="false" in aspx page as well as web.config. Inspite of that for each label text or any other field which I will show in web page I need to do Server.HtmlEncode . Otherwise any if label text is a script like <script>alert('hi')</script> it will not show the label text as properly.

    But using Server.HtmlEncode for each field in all pages is very difficult. So I wanted to know an alternative for that where I can set in one place which will work for whole page.

    Please let me know if I am not clear.

    Harsha.

    Tuesday, October 16, 2012 6:25 AM
  • User-742633084 posted

    Hi harshaprakashst,

    So your main concern is to find a way to centralize the "Server.HtmlEncode" converting code logic instead of repeating it in every page and every textbox control, right?

    Here are some options you can consider:

    1) You can build a custom Label control (derive from built-in label) and inject your HTML encode logic in its rendering method. Then, for the pages which need to display potential dangerous text, you use this custom label control instead.

    2) You can also build a custom page class and override its OnPrerender method. In the ONPreRender method, you can programmtically find all the Label Control ( from Page's Controls collection recursively) and then HtmlEncode the Text property. And for those pages you want to apply the htmlencode processing, you need to use this customm derived page class in the code-behind.

    3) Another possible means is that you always perform HtmlEncode first before such text data store into DB. Thus, those text are by default in html encoded format, and you only need to use HtmlDecode on them in case you want to render the actual markup or script content.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, October 16, 2012 10:04 PM
  • User435591045 posted

    Thank you very much Steven Cheng.

    I am implementing option 2. I could implement it without any problem.

    I have a question to imporove performence in my page. To avoid unnecessary looping of Page.Controls, can I find controls of type table directly in an aspx page ?

    i.e., I am using below code find table controls. I don't want to loop page controls . Can I just find controls of type table. I dont' know table id.

    foreach (Control c in Page.Controls)
                {
                    foreach (Control childc in c.Controls)
                    {
                        if (childc is Table)
                        {
    	            }
    	         }
                }



    Thanks again.

    Harsha.

    Wednesday, October 17, 2012 2:30 AM
  • User1011739529 posted

    Hi,

    I suggest you to use AntiSqlInjectionScreeningModulehttp://forums.asp.net/t/1254125.aspx

    Saturday, October 20, 2012 6:09 PM
  • User435591045 posted

    Steven Cheng, As I said I Implemented your option number 2. That is Overriding OnPreRender method and in this method I am doing Server.HtmlEncode for all controls in foreach loop.

    Now I have problem with binding data for table control.  I have pages where bind data to table controls. I have drop down filters in the page to filter data in table. When dropdown filter item changes, function will get new data from DB and bind to table.

    Data will bind properly for table for the first time. But When I select any filter item in dropdown, function will fetch new data from DB correctly but after page rendering it will still show old data only. Old data is not getting replaced for the table cells while rendering. Please help.

    Please let me know if I am not clear of if you need more details.


    Note: I cannot change impelementation from table to anyother control like gridview etc.. as this is common in all pages in application.

    Harsha.

    Tuesday, October 23, 2012 9:35 AM
  • User435591045 posted

    Sorry if I am not clear. Will explain in detail. Page has a dropdown and Table. Drop down has around ten items. Out of that we have data for only four items. Hence we are showing all four records in page load along with HTMLEncode, no problem untill here.

    After that I select a filter item for which data is there, it has to show only that particular record out of four records. But it shows first record out of four records irrespective of my dropdown selection. Data from DB is correct. It is binding to table correctly. But after rendering it will still have the first record out of four records.

    Please let me know if I am not clear of if you need more details.

    Harsha.

    Tuesday, October 23, 2012 9:54 AM
  • User435591045 posted

    At last I got the solution. Tbl.Dispose() did that tric. :-)

    Any how thanks a lot.

    Harsha

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, October 24, 2012 8:30 AM