I'm coming to C# ASP.NET from Ruby and PHP, and I'm enjoying some elements of it but am finding certain things difficult to achieve. It's a bit different to get my head around, and I'd really appreciate it if someone could help me get this bit up and running.
I am trying to take some text sent in a POST request, HTML-escape it, and then write it to a text file.
So I look it up, read a little, and try:
<%
System.IO.StreamWriter file = new System.IO.StreamWriter(Server.MapPath(#"./messager.txt"));
file.WriteLine(Request.Form["message"]);
file.Close();
%>
Not doing the HTML-escaping yet, just trying to actually write to the text file.
This doesn't work, though; it throws no error that I can see, but just does nothing, the text file isn't written to at all. I've researched the methods and can't really figure out why. I would really love some help.
If it helps, here is working Ruby code for what I am trying to do:
File.open "messager.txt", "w" {|f| f.puts h params[:message]}
You have to provide a virtual path relative to the web app when using Server.MapPath using the special character ~ which is a shortcut to the web app root directory. Now, the simplest way to do it is a follows...
System.IO.File.WriteAllText(Server.MapPath("~\messager.txt"), Request.Form["message"]);
this is assuming that the request actually contains the "message" form variable. Note that this approach will create a new file if it doesn't exist or will override it if it does exist.
However, in ASP.NET Web Forms we usually use server controls such as a TextBox, if when posting the page the message is set to a text box, then a better way to retrieve this message in OOP-style would be...
TextBox_ID.Text;
where TextBox_ID is the id of the TextBox
Edit
if Request.Form["message"] is coming in empty. Make sure that:
there's a text input element named message
there's no other element with the same name attribute
the input element is inside the form tag with runat=server attribute
you are posting back the page instead of issuing a GET request
I need to access the full path of a Resource file in my C# vs2010 project to use to create myType variable below. If I manually type the path as
#"C:\dir1\dir2\dir3\dir4\Source\dir5\dir6\Resources\myIcon.png"
the code works and accesses the icon. But if I use:
var result = Path.GetFullPath("myIcon.png")
The value in the variable result is the name of the correct directory except with two \ backslashes instead of one throughout i.e.
"C:\\dir1\\dir2\\dir3\\dir4\\Source\\dir5\\dir6\\myIcon.png"
. The problem is that I need to derive the result (file name variable) dynamically and I cant hard code it.
I don't know if I am supposed to manually get rid of the two \ and replace it with a single \ ? Or am I missing something.
var result = Path.GetFullPath("myIcon.png");
ToolboxItemWrapper myType = new ToolboxItemWrapper(
type,
#"C:\dir1\dir2\dir3\dir4\Source\dir5\ImAdmin\dir6\myIcon.png",
type.Name);
I am re-Editing my question. I have more than few problems, I am realizing after reading all the comments and the answers. So, I will mark the only answer as the answer but the one comment about being careful of using GetFullPath was also a valuable feedback. Thank you to all.
If you are seeing \\ in debugger, then it is simply debugger escaping the \ character so string appears the same way as if it were to appear as literal in the code. Clicking on the small magnifying glass will bring up dialog that shows true, human-readable value.
I have a URL say /Registration/GetName.aspx/?language=English
When i click on a Asp.net Button on the same Page and say Response.Redirect("CheckLoginName.aspx");
It gives me a weird URL
/Registration/GetName.aspx/CheckLoginName.aspx
What should i do
Please Help?
You should use "~/" inside your Redirect
So your code will look something like this
Response.Redirect("~/CheckLoginName.aspx");
Hope this helps
You should remove the trailing / before the query string, since it serves no purpose. Your URL should be /Registration/GetName.aspx?language=English. Another option is to have Response.Redirect("../CheckLoginName.aspx"); This should also work.
I think a solution using a relative path is better, since it is location independant. If you move these two files to another URL, there will be no need for code changes.
We have a high security application and we want to allow users to enter URLs that other users will see.
This introduces a high risk of XSS hacks - a user could potentially enter javascript that another user ends up executing. Since we hold sensitive data it's essential that this never happens.
What are the best practices in dealing with this? Is any security whitelist or escape pattern alone good enough?
Any advice on dealing with redirections ("this link goes outside our site" message on a warning page before following the link, for instance)
Is there an argument for not supporting user entered links at all?
Clarification:
Basically our users want to input:
stackoverflow.com
And have it output to another user:
stackoverflow.com
What I really worry about is them using this in a XSS hack. I.e. they input:
alert('hacked!');
So other users get this link:
stackoverflow.com
My example is just to explain the risk - I'm well aware that javascript and URLs are different things, but by letting them input the latter they may be able to execute the former.
You'd be amazed how many sites you can break with this trick - HTML is even worse. If they know to deal with links do they also know to sanitise <iframe>, <img> and clever CSS references?
I'm working in a high security environment - a single XSS hack could result in very high losses for us. I'm happy that I could produce a Regex (or use one of the excellent suggestions so far) that could exclude everything that I could think of, but would that be enough?
If you think URLs can't contain code, think again!
https://owasp.org/www-community/xss-filter-evasion-cheatsheet
Read that, and weep.
Here's how we do it on Stack Overflow:
/// <summary>
/// returns "safe" URL, stripping anything outside normal charsets for URL
/// </summary>
public static string SanitizeUrl(string url)
{
return Regex.Replace(url, #"[^-A-Za-z0-9+&##/%?=~_|!:,.;\(\)]", "");
}
The process of rendering a link "safe" should go through three or four steps:
Unescape/re-encode the string you've been given (RSnake has documented a number of tricks at http://ha.ckers.org/xss.html that use escaping and UTF encodings).
Clean the link up: Regexes are a good start - make sure to truncate the string or throw it away if it contains a " (or whatever you use to close the attributes in your output); If you're doing the links only as references to other information you can also force the protocol at the end of this process - if the portion before the first colon is not 'http' or 'https' then append 'http://' to the start. This allows you to create usable links from incomplete input as a user would type into a browser and gives you a last shot at tripping up whatever mischief someone has tried to sneak in.
Check that the result is a well formed URL (protocol://host.domain[:port][/path][/[file]][?queryField=queryValue][#anchor]).
Possibly check the result against a site blacklist or try to fetch it through some sort of malware checker.
If security is a priority I would hope that the users would forgive a bit of paranoia in this process, even if it does end up throwing away some safe links.
Use a library, such as OWASP-ESAPI API:
PHP - http://code.google.com/p/owasp-esapi-php/
Java - http://code.google.com/p/owasp-esapi-java/
.NET - http://code.google.com/p/owasp-esapi-dotnet/
Python - http://code.google.com/p/owasp-esapi-python/
Read the following:
https://www.golemtechnologies.com/articles/prevent-xss#how-to-prevent-cross-site-scripting
https://www.owasp.org/
http://www.secbytes.com/blog/?p=253
For example:
$url = "http://stackoverflow.com"; // e.g., $_GET["user-homepage"];
$esapi = new ESAPI( "/etc/php5/esapi/ESAPI.xml" ); // Modified copy of ESAPI.xml
$sanitizer = ESAPI::getSanitizer();
$sanitized_url = $sanitizer->getSanitizedURL( "user-homepage", $url );
Another example is to use a built-in function. PHP's filter_var function is an example:
$url = "http://stackoverflow.com"; // e.g., $_GET["user-homepage"];
$sanitized_url = filter_var($url, FILTER_SANITIZE_URL);
Using filter_var allows javascript calls, and filters out schemes that are neither http nor https. Using the OWASP ESAPI Sanitizer is probably the best option.
Still another example is the code from WordPress:
http://core.trac.wordpress.org/browser/tags/3.5.1/wp-includes/formatting.php#L2561
Additionally, since there is no way of knowing where the URL links (i.e., it might be a valid URL, but the contents of the URL could be mischievous), Google has a safe browsing API you can call:
https://developers.google.com/safe-browsing/lookup_guide
Rolling your own regex for sanitation is problematic for several reasons:
Unless you are Jon Skeet, the code will have errors.
Existing APIs have many hours of review and testing behind them.
Existing URL-validation APIs consider internationalization.
Existing APIs will be kept up-to-date with emerging standards.
Other issues to consider:
What schemes do you permit (are file:/// and telnet:// acceptable)?
What restrictions do you want to place on the content of the URL (are malware URLs acceptable)?
Just HTMLEncode the links when you output them. Make sure you don't allow javascript: links. (It's best to have a whitelist of protocols that are accepted, e.g., http, https, and mailto.)
You don't specify the language of your application, I will then presume ASP.NET, and for this you can use the Microsoft Anti-Cross Site Scripting Library
It is very easy to use, all you need is an include and that is it :)
While you're on the topic, why not given a read on Design Guidelines for Secure Web Applications
If any other language.... if there is a library for ASP.NET, has to be available as well for other kind of language (PHP, Python, ROR, etc)
For Pythonistas, try Scrapy's w3lib.
OWASP ESAPI pre-dates Python 2.7 and is archived on the now-defunct Google Code.
How about not displaying them as a link? Just use the text.
Combined with a warning to proceed at your own risk may be enough.
addition - see also Should I sanitize HTML markup for a hosted CMS? for a discussion on sanitizing user input
There is a library for javascript that solves this problem
https://github.com/braintree/sanitize-url
Try it =)
In my project written in JavaScript I use this regex as white list:
url.match(/^((https?|ftp):\/\/|\.{0,2}\/)/)
the only limitation is that you need to put ./ in front for files in same directory but I think I can live with that.
Using Regular Expression to prevent XSS vulnerability is becoming complicated thus hard to maintain over time while it could leave some vulnerabilities behind. Having URL validation using regular expression is helpful in some scenarios but better not be mixed with vulnerability checks.
Solution probably is to use combination of an encoder like AntiXssEncoder.UrlEncode for encoding Query portion of the URL and QueryBuilder for the rest:
public sealed class AntiXssUrlEncoder
{
public string EncodeUri(Uri uri, bool isEncoded = false)
{
// Encode the Query portion of URL to prevent XSS attack if is not already encoded. Otherwise let UriBuilder take care code it.
var encodedQuery = isEncoded ? uri.Query.TrimStart('?') : AntiXssEncoder.UrlEncode(uri.Query.TrimStart('?'));
var encodedUri = new UriBuilder
{
Scheme = uri.Scheme,
Host = uri.Host,
Path = uri.AbsolutePath,
Query = encodedQuery.Trim(),
Fragment = uri.Fragment
};
if (uri.Port != 80 && uri.Port != 443)
{
encodedUri.Port = uri.Port;
}
return encodedUri.ToString();
}
public static string Encode(string uri)
{
var baseUri = new Uri(uri);
var antiXssUrlEncoder = new AntiXssUrlEncoder();
return antiXssUrlEncoder.EncodeUri(baseUri);
}
}
You may need to include white listing to exclude some characters from encoding. That could become helpful for particular sites.
HTML Encoding the page that render the URL is another thing you may need to consider too.
BTW. Please note that encoding URL may break Web Parameter Tampering so the encoded link may appear not working as expected.
Also, you need to be careful about double encoding
P.S. AntiXssEncoder.UrlEncode was better be named AntiXssEncoder.EncodeForUrl to be more descriptive. Basically, It encodes a string for URL not encode a given URL and return usable URL.
You could use a hex code to convert the entire URL and send it to your server. That way the client would not understand the content in the first glance. After reading the content, you could decode the content URL = ? and send it to the browser.
Allowing a URL and allowing JavaScript are 2 different things.
I'm a newbie to c# so hopefully this one isn't too hard for a few of you.
I'm trying to build a string that has a \ in it and I am having difficulty getting just one backslash to show up even though I am adding additional escape chars or ignoring them all together. Can someone show me what I am doing wrong?
What I want my string to look like:
"10.20.14.103\sql08"
What I've tried so far:
I added an additional character to make the compiler happy but it did not escape it.
ip = string.Format("{0}\\\\{1}", ip, instancename); // output has 2 \'s
I told it to ignore escapes, it decided to ignore me instead
string temp = #"192.168.1.200\sql08"; // output has 2 \'s
Can someone help me make sense of this? (The richtext editor here seems to do a better job with it than VS2010 is doing, lol)
I'm guessing you're getting confused by the debugger.
If you hover your mouse over a local variable in VS, strings will be escaped so a single \ will display as \\.
To see what your string really is, output it somewhere for display (e.g., to the console) or hover your mouse on the variable, click on the arrow next to the little magnifying glass that appears, and select "Text Visualizer."
If you're looking at these strings in the debugger (i.e., by hovering the mouse over the variable or using a watch), the debugger adds escape characters to the display string so that it's a valid string expression. If you want to view the string verbatim in this fashion, click on the magnifying glass on the right side of the tooltip or watch entry with the string in it.
I'm guessing you're looking at the values in the debugger and seeing that they have two slashes.
That's normal. The debugger will show two slashes even though the actual string representation will only have one. Just another hump to get over when getting used to the debugger.
Be assured that when you actually use your strings, they will still only have a single slash (using either of your methods).
string requiredString = string.Format(#"{0}\\{1}",str1,str2);