locked
Is generated code sanitized RRS feed

  • Question

  • User-1209166642 posted

    Untouched generated code here:

    @page
    @model pcore31.AddpetModel
    
    @{
        Layout = null;
    }
    
    <!DOCTYPE html>
    
    <html>
    <head>
        <meta name="viewport" content="width=device-width" />
        <title>Addpet</title>
    </head>
    <body>
    
    <h4>Pet</h4>
    <hr />
    <div class="row">
        <div class="col-md-4">
            <form method="post">
                <div asp-validation-summary="ModelOnly" class="text-danger"></div>
                <div class="form-group">
                    <label asp-for="Pet.PetName" class="control-label"></label>
                    <input asp-for="Pet.PetName" class="form-control" />
                    <span asp-validation-for="Pet.PetName" class="text-danger"></span>
                </div>
                <div class="form-group">
                    <label asp-for="Pet.Dogpic" class="control-label"></label>
                    <input asp-for="Pet.Dogpic" class="form-control" />
                    <span asp-validation-for="Pet.Dogpic" class="text-danger"></span>
                </div>
                <div class="form-group">
                    <label asp-for="Pet.Odate" class="control-label"></label>
                    <input asp-for="Pet.Odate" class="form-control" />
                    <span asp-validation-for="Pet.Odate" class="text-danger"></span>
                </div>
                <div class="form-group form-check">
                    <label class="form-check-label">
                        <input class="form-check-input" asp-for="Pet.Ocheck" /> @Html.DisplayNameFor(model => model.Pet.Ocheck)
                    </label>
                </div>
                <div class="form-group">
                    <input type="submit" value="Create" class="btn btn-primary" />
                </div>
            </form>
        </div>
    </div>
    
    <div>
        <a asp-page="Index">Back to List</a>
    </div>
    
    @section Scripts {
        @{await Html.RenderPartialAsync("_ValidationScriptsPartial");}
    }
    </body>
    </html>
    

    Take for example this line:

    <input asp-for="Pet.PetName" class="form-control" />

    Is that asp-for also appling the equal to htmlentities?  Or will I have to modify the code and do that myself.

    A search I got punching in "<input asp-for" yielded  https://docs.microsoft.com/en-us/aspnet/core/mvc/views/tag-helpers/intro?view=aspnetcore-3.1

    I searched that page for "encode", "entity", "enti", "santi", "sanitize.  No hits at all.

    So if the generated pages doesn't sanitize data, why are they used?  I normally sanitize the request, but again if I have to sanitize each field, why the auto context instead of individual request?

    For example:

    string petname = Request.Form["petname"];
    // I could add a custom sanitize class
    
    string petname =  Helper.sanitize(Request.Form["petname"]);
    
    // Something like that.

    Sorry this "generated" code still confuses me.

    Monday, May 4, 2020 4:19 AM

Answers

  • User-474980206 posted

    The reason Microsoft stopped supplying the sanitation is that in real life its a difficult problem. Hacker learn every trick to bypass the sanitation. They decided that the false sense of security of a partial solution was worse.

    Output encoding prevents simple defacement attacks and hidden script ( one of the most common) 

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, May 5, 2020 4:58 PM
  • User753101303 posted

    It could be discussed endlessly but it could be worse for beginners: what about those using non latin characters and doing string comparisons. Not sure a developer oriented framework does this by default.

    BTW before doing this you could consider also using https://www.troyhunt.com/locking-down-your-website-scripts-with-csp-hashes-nonces-and-report-uri/

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, May 5, 2020 6:45 PM
  • User-821857111 posted

    So Joe blow decides he's going to create an api so folks can get some data from his site.
    Joe blow could also be saving passwords in plain text in a database, or worse still, attempting to collect and store credit card details in a site that doesn't even run on HTTPS. I've seen it all here.

    At least MS try to mitigate XSS by encoding output by default for ASP.NET developers. If people are consuming data from a third party using a different framework, they should do the same. You could just as well attack other web development frameworks for NOT encoding output by default.

    And what about when you want to store HTML? So many sites have Request validation disabled for this very purpose, it's no surprise that MS decided not to bother introducing it back into .NET Core.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, May 7, 2020 9:02 AM

All replies

  • User-821857111 posted

    So if the generated pages doesn't sanitize data, why are they used? 
    What do you mean by "sanitize"? Are you talking about Request Validation to prevent script injection via posting of HTML? If so, the ASP.NET team decided not to include request validation in .NET Core. They feel that automatic encoding of output built into Razor is enough protection.

    https://github.com/aspnet/BasicMiddleware/issues/64

    Monday, May 4, 2020 8:48 AM
  • User-1209166642 posted
    No I mean is htmlentities used automatically.

    if not what good is the code generation?
    Monday, May 4, 2020 5:55 PM
  • User753101303 posted

    Hi,

    It is done when the value is rendered using Razor: https://docs.microsoft.com/en-us/aspnet/core/mvc/views/razor?view=aspnetcore-3.1#expression-encoding

    Or you mean that you want to store HTML encoded strings to your database?

    Monday, May 4, 2020 11:17 PM
  • User-1209166642 posted

    No I do not want HTML in DB.  Okay an example so all will understand.

    Example: In php laravel blade, blade applies htmlentities to input.

    All I want to know: Does the generated code apply htmlentities?

    Escaping on rendering, ????

    As a programmer I learned 3 rules:

    1. Never trust user input.

    2. Never trust user input.

    3. Never trust user input.

    So if I have to apply htmlentities myself, or a strip tags implementation myself, why does asp.net core even bother having code generators?

    Fields need protection at input time also.

    Tuesday, May 5, 2020 1:36 AM
  • User711641945 posted

    Hi jimap_1,

    <input asp-for="Pet.PetName" class="form-control" />

    For this code,If you apply to using HtmlEntities in php with following code:

    <?php
    $str = '<input asp-for="Pet.PetName" class="form-control" />';
    echo htmlentities($str);
    ?>

    It could generate the html:

    &lt;input asp-for=&quot;Pet.PetName&quot; class=&quot;form-control&quot; /&gt;
    

    Does the result what you want?

    Best Regards,

    Rena

    Tuesday, May 5, 2020 2:17 AM
  • User-1209166642 posted
    First in a generated model all you get is this:
    _context.Pet.Add(Pet);
    The fields are not individually requested.
    So in order to "clean" there I'd have to get each field individually something like:
    Pet.PetName = htmlentities(Pet.PetName); // just example

    /////or

    Pet.PetName = strip_tags(Pet.PetName); // just example
    Or in form:
    <input asp-for="htmlentities(Pet.PetName)" class="form-control" />
    // which of course is just example.
    My point and question, is this already being done?  
    And again, if not, why does asp.net even bother having a code generaator?

    Do you realize how many new to .net core don't realize these dangers?

    Tuesday, May 5, 2020 4:02 AM
  • User-821857111 posted

    1. Never trust user input.

    2. Never trust user input.

    3. Never trust user input.

    You can do this in one of two ways:

    1. Screen every piece of user input on submission (which is what Request Validation did)
    2. HTML encode all rendered output (which is what Razor does)

    The .NET Core team opted for the latter approach - reasons are explained in the Github issue I linked to. However, values are not HTML encoded if they are applied to the value attribute of inputs or included within textarea elements. But any script that appears in those contexts isn't executed, like it would be if it was included elsewhere in an HTML document. 

    Tuesday, May 5, 2020 8:45 AM
  • User753101303 posted

    Incoming form fields are not hrml encoded. Razor does this when the value is written to the page.

    If you want to implement this a possible approach is to use https://www.stevejgordon.co.uk/html-encode-string-aspnet-core-model-binding 

    Tuesday, May 5, 2020 10:49 AM
  • User475983607 posted

    My point and question, is this already being done?
    And again, if not, why does asp.net even bother having a code generaator?

    Do you realize how many new to .net core don't realize these dangers?

    I think you are confused but I'm not sure what you are worried about.  Can you provide a code example?

    As explained several times above, Razor Pages HTML encodes dynamic output.   The following code renders as encoded HTML.

    public void OnGet()
    {
        html = "<h1>Hello World</h1>";
    }
    
    [BindProperty]
    public string html { get; set; }
    @page
    @model IndexModel
    @{
        ViewData["Title"] = "Home page";
    }
    
    <div class="text-center">
        @Model.html
    </div>

    You must opt in to render raw HTML.

    <div class="text-center">
        @Html.Raw(Model.html)
    </div>

    Tuesday, May 5, 2020 11:27 AM
  • User-474980206 posted

    No, unlike old asp.net, asp.net core does not sanitize input data. See this thread for why:

      https://github.com/aspnet/BasicMiddleware/issues/64

    output is html encoded by default. 

    Tuesday, May 5, 2020 3:09 PM
  • User-1209166642 posted

    And none of you are the least bit concerned. 

    output is html encoded by default. 

    What about an API? Does not some stored data get retrieved via PHP, JAVA, and other languages.

    How does the "team" know how the data is handled?

    You senior forum members should be trying your best to change that.

    The problem is not everyone programming (newbies) knows to protect output. So Joe blow decides he's going to create an api so folks can get some data from his site.

    Joe is new to this and folks can of course get data using other languages, are you seeing the problem?

    Tuesday, May 5, 2020 4:29 PM
  • User-474980206 posted

    The reason Microsoft stopped supplying the sanitation is that in real life its a difficult problem. Hacker learn every trick to bypass the sanitation. They decided that the false sense of security of a partial solution was worse.

    Output encoding prevents simple defacement attacks and hidden script ( one of the most common) 

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, May 5, 2020 4:58 PM
  • User753101303 posted

    It could be discussed endlessly but it could be worse for beginners: what about those using non latin characters and doing string comparisons. Not sure a developer oriented framework does this by default.

    BTW before doing this you could consider also using https://www.troyhunt.com/locking-down-your-website-scripts-with-csp-hashes-nonces-and-report-uri/

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, May 5, 2020 6:45 PM
  • User-821857111 posted

    So Joe blow decides he's going to create an api so folks can get some data from his site.
    Joe blow could also be saving passwords in plain text in a database, or worse still, attempting to collect and store credit card details in a site that doesn't even run on HTTPS. I've seen it all here.

    At least MS try to mitigate XSS by encoding output by default for ASP.NET developers. If people are consuming data from a third party using a different framework, they should do the same. You could just as well attack other web development frameworks for NOT encoding output by default.

    And what about when you want to store HTML? So many sites have Request validation disabled for this very purpose, it's no surprise that MS decided not to bother introducing it back into .NET Core.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, May 7, 2020 9:02 AM