Tip: MVC - Text input - Validate Xss

sep 30, 2011 22:38:55   //   Geert Van Huychem   //   Freebies   //   0 reacties

Pretty sure you came across this one: "A potentially dangerous Request.Form value was detected from the client", when you tried to add html tags in a blog post, for example.

To avoid this error in ASP.NET, you just had to add ValidateRequest="false" to the page directive, or in MVC add the ValidateInput(false) attribute to the controller method

Fairly easy to avoid the error, but now you're page is no longer secured for XSS attacks. One way to avoid this is filtering the user input, for example by using HtmlAgilityPack, as illustrated in the code below

Major advantage of this approach: it also removes encoded script tags. Actually, you can remove just about anything, like images if you want to.

                                    using HtmlAgilityPack;
            
                                    namespace iFrameWorx.Core.Utilities.Extensions.String
                                    {
                                        public static class ValidateXssExtension
                                        {
                                            public static string ValidateXss(this string input)
                                            {
                                                try
                                                {
                                                    var html = new HtmlDocument { OptionFixNestedTags = true, OptionAutoCloseOnEnd = true };
            
                                                    html.LoadHtml(input);
            
                                                    //  remove all scripts
                                                    var scripts = html.DocumentNode.SelectNodes("//script");
                                                    if (scripts != null)
                                                        foreach (var script in scripts)
                                                            script.Remove();
            
                                                    return html.DocumentNode.OuterHtml;
                                                }
                                                catch
                                                {
                                                    //  ignore error, return input
                                                }
            
                                                return input;
                                            }
                                        }
                                    }
                                    using iFrameWorx.Core.Utilities.Extensions.String;
            
                                    using NUnit.Framework;
            
                                    namespace iFrameWorx.Core.UnitTests.Extensions
                                    {
                                        [TestFixture]
                                        public class ValidateXssUnitTest
                                        {
                                            [Test]
                                            public void ValidateXss()
                                            {
                                                var s = "<script>alert('Hello!');</script>";
            
                                                s = s.ValidateXss();
            
                                                Assert.IsNullOrEmpty(s);
                                            }
            
                                            [Test]
                                            public void ValidateXssEncoded()
                                            {
                                                var s = "\x3cscript\x3e%20alert(\x27Hello!\x27)%20\x3c/script\x3e";
            
                                                s = s.ValidateXss();
            
                                                Assert.IsNullOrEmpty(s);
                                            }
                                        }
                                    }

Reageer.

Enkele items ontbreken of zijn fout ingevuld.