Export (0) Print
Expand All

Protecting Against Script Exploits in a Web Application

Most scripting exploits occur when users can get executable code (script) into your application. By default, ASP.NET provides request validation, which raises an error if a form post contains any HTML whatsoever.

You can protecting against script exploits in these ways:

  • Apply HTML encoding to strings before accepting or displaying them, so that the strings do not include any executable elements.
  • If your application needs to accept some HTML, disable request validation and create your own HTML filter.

The procedures in this topic describe how to perform these tasks.

Applying HTML Encoding

HTML encoding converts HTML elements using HTML reserved characters so that they are displayed rather than executed.

To apply HTML encoding

  • Before displaying strings, call the Server object's HtmlEncode method. HTML elements are converted into string representations that the browser will display rather than interpret as HTML.

    The following example illustrates HTML encoding. In one instance, the user input is encoded before being displayed. In the second instance, data from a database is encoded before being displayed.

    Note   This example will only work if you disable request validation in the page by adding the @ Page attribute
    ValidateRequest="false"
    . Never disable request validation without adding your own check or filter.
    ' Visual Basic
    Private Sub Button1_Click(ByVal sender As System.Object, ByVal e _
          As System.EventArgs) Handles Button1.Click
       Label1.Text = Server.HtmlEncode(TextBox1.Text)
       Label2.Text = _
           Server.HtmlEncode(dsCustomers.Customers(0).CompanyName)
    End Sub
    
    // C#
    private void Button1_Click(object sender, System.EventArgs e)
    {
        Label1.Text = Server.HtmlEncode(TextBox1.Text);
        Label2.Text = 
            Server.HtmlEncode(dsCustomers1.Customers[0].CompanyName);
    }
    

Filtering HTML Elements

By default, Web Forms pages detect any HTML elements and reserved characters in information posted to the server. This prevents users from trying to embed script into your application. When the page detects HTML, it raises an error. You can catch this error using a Page_Error or Application_Error handler. For details, see Displaying Safe Error Messages.

However, if your application needs to accept some HTML elements, turn off request validation and create a filter that allows only the HTML elements that you want to accept.

Note   Do not create a filter that attempts to filter out only unacceptable elements, because it is difficult to anticipate every possible bad input. Instead, if you do create a filter, create one that defines acceptable input.

To filter HTML elements

  1. Disable request validation by the adding the attribute ValidateRequest="false" to the @ Page directive.
    Security Note   Never disable automatic request validation without adding your own checks or filter.
  2. Encode the string using the HtmlEncode method.
  3. Call the String.Replace method to convert the encoded HTML tags you want to accept back to their HTML forms.
    Tip   If you are familiar with regular expressions, you can use one to perform the filtering efficiently. For details, see .NET Framework Regular Expressions.

    The following example illustrates a simple filter that accepts bold and underscore elements (<b>, </b>, <u>, </u>). All other user input is encoded before being displayed.

    Security Note   Many HTML tags allow script in their attributes. For example, the tag
    <img src="javascript:alert('hi')">
    is legal. If you want to accept HTML tags that are more complex than simple formatting tags, you must be sure that a malicious user cannot pass script to your application in the guise of an allowed HTML tag.
    ' Visual Basic
    Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click
       Dim userinput As String = TextBox1.Text
       userinput = Server.HtmlEncode(userinput)
       ' Accepts <b>, </b>, <u>, </u>, case-insensitive
       userinput = userinput.Replace("&lt;b&gt;", "<b>")
       userinput = userinput.Replace("&lt;/b&gt;", "</b>")
       userinput = userinput.Replace("&lt;B&gt;", "<B>")
       userinput = userinput.Replace("&lt;/B&gt;", "</B>")
       userinput = userinput.Replace("&lt;u&gt;", "<u>")
       userinput = userinput.Replace("&lt;/u&gt;", "</u>")
       userinput = userinput.Replace("&lt;U&gt;", "<U>")
       userinput = userinput.Replace("&lt;/U&gt;", "</U>")
       Label1.Text = userinput
    End Sub
    
    // C#
    private void Button1_Click(object sender, System.EventArgs e)
    {
        String userinput = TextBox1.Text;
        userinput = Server.HtmlEncode(userinput);
        // Accepts <b>, </b>, <u>, </u>, case-insensitive
        userinput = userinput.Replace("&lt;b&gt;", "<b>");
        userinput = userinput.Replace("&lt;/b&gt;", "</b>");
        userinput = userinput.Replace("&lt;B&gt;", "<B>");
        userinput = userinput.Replace("&lt;/B&gt;", "</B>");
        userinput = userinput.Replace("&lt;u&gt;", "<u>");
        userinput = userinput.Replace("&lt;/u&gt;", "</u>");
        userinput = userinput.Replace("&lt;U&gt;", "<U>");
        userinput = userinput.Replace("&lt;/U&gt;", "</U>");
        Label1.Text = userinput;
    }
    

See Also

Scripting Exploits | Overview of Web Application Security Threats | Basic Security Practices for Web Applications | Security Portal

Show:
© 2014 Microsoft