locked
XSS issue RRS feed

  • Question

  • User-1550472056 posted

    Why is this label open to XSS and what should I add to fix the issue.

    lbl_applicantName.Text = Helper.ConvertStringToTitleCase(applicantName);

    public static string ConvertStringToTitleCase(string value)
            {
                //Create CultureInfo and TextInfo classes to use ToTitleCase method
                CultureInfo cultureInfo = Thread.CurrentThread.CurrentCulture;
                TextInfo textInfo = cultureInfo.TextInfo;
                if (value != null)
                {
                    return textInfo.ToTitleCase(value.ToLower());
                }
                else
                {
                    return "";
                }
            }

     

    Tuesday, June 24, 2014 3:14 PM

Answers

  • User-760709272 posted

    The issue is actually where "applicantName" comes from.  If that has come from a malicious user and you haven't sanatised the input then it could contain javascript.  By passing the data through a function that does nothing to html encode the text, and then write that text direct to the screen, you are exposing your users to xss attacks.  If you can absolutely verify that no malicious input could ever possibly be in "applicantName" then you could tentatively say you're safe.  What you should do is this;

    lbl_applicantName.Text = Server.HtmlEncode(Helper.ConvertStringToTitleCase(applicantName));

    That's the real issue; that you're not encoding the data, the issue isn't so much what is inside your ConvertStringToTitleCase function (which you could actually make an extension method if you use it a lot, but that's beside the point).

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, June 24, 2014 4:08 PM