I'm currently working to solve a major permanent XSS vulnerability on my website. To do this, I am calling:
this.Title = System.Security.SecurityElement.Escape(this.Title);
On the values I am taking in, which properly escapes all of the characters that need to be escaped (<, >, &, etc.). My problem arises when I go to display this title elsewhere in my page:
<p> #title </p>
Which displays the string exactly as it appears, such as "< ;> ;, etc.".
To solve this problem, I have noticed that if I call:
<p> #html.raw(title) </p>
That the values are properly displayed on the page (<, >, etc.). But I am afraid that this still ensures a vulnerability. What is the best way to properly render the html onto the page? Am I doing anything wrong? Or am I properly using html.raw()?
You want to take and store the title as is comes in. Then you escape the title on output.
See answer on e.g. html/XSS escape on input vs output
Related
I am using ASP.NET MVC, when I want to use the tag in #Html.Raw, this tag does not appear in the desired <div>.
As shown here:
<div class="mt-4 current-cursor">
#Html.Raw("<strong>OKK</strong> <p><ul><li style='font-size:18px;'>1.Test1</li><li>2.Test2</li></p>")
</div>
The result that it displays for me is as below, that is, it does not recognize the <strong> tag at all.
Html.Raw does not interpret anything at all. It just spews the given string unencoded into the output docuument.
So if it doesn't look right in your case, possible you have some CSS in that page that causes it to look as it does. You could use F12 (Developer Tools, depending on your browser) to inspect the "OKK" for details.
BTW, the other tags in your example also look wrong (which could also be an issue given existing CSS in the page).
In my case, for example, using some (other) arbitrary styles, your code looks like this:
I'm trying to encode data that is to be displayed on a separate page (.aspx) after a user submits a form with their information and questions. There are both text input and textarea fields that the user can fill out.
I'm using the <%#: %> expression to place this data on the page since it does the HTML encoding, but have run into an issue with the encoding also encoding the br tags as text instead of actual line breaks.
Is there a way to make it so that the br tags still cause a line break, but leave everything else encoded using this method?
Example of user input:
Hi
This is what should be responded with.
Here is an example of the code that places it on the page:
<p><%#: ((DiscussionThread.Discussion)Container.DataItem).Text %></p>
What it currently displays on the page:
Hi<br /><br />This is what should be responded with.
Thanks in advanced!
Don't know, will it help you in your case or no, but I always use next way:
string forInput = yourTextBoxID.Text.ToString().Replace(Environment.NewLine, "%NL%");
string forOutput = forInput.Replace("%NL%", Environment.NewLine);
If in forOutput Environment.NewLine will not work, change it to <br />
%NL% it is just a identificator, u may change to anything else.
I'm trying to do a password recovery with SMTP. In the email, i've added some necessary text and hyperlink for the user to recover their password. As you can see the code here, i've added a hyper link.
strBody.Append("Click here to change your password.");
In order to add a non-hyperlink text, i added this statement behind the code.
strBody.Append("Click here to change your password. \t\t\t\t This is a computer generated email for your password recovery. \t\t please do not reply this email.");
I've added a \t in the string but instead it doesn't show any tab spacing in the email. What have i done wrong here?
The fact that you have HTML in your body makes me assume that you are sending HTML emails. If this is the case then your tabs will be in the source but HTML collapses all whitespace which includes tabs.
You'll have to either use proper HTML to indent your text (eg margins on block elements) or use plain text where tabs and such like will work.
There are no tabs in HTML. That \t is a Windows character code. You'll need to either throw a <span style="margin-left: 1em;"> around the text or use (many times).
I think the right approach is this:
<span style=\"margin-left: 1em;\">This is a computer generated email for your password recovery.</span>
use multiple times instead of tabs in your html message body.
You're probably sending the email as HTML, therefore the tab (\t) will be rendered as a single space, which is normal.
Either change the email format normal (plain text) or add styling to mimic the indentation you want.
Tab characters inside <pre></pre> tags seem to survive.
I have not tried this in an e-mail yet, but you can give it a shot.
<pre>
a b c d
</pre>
In my signup form, I'm using asp.net unobtrusive validation to check if a username exists. My JsonResult method returns the following if a clash is found:
This is already in use. How about \u003cstrong\u003efoo123\u003c/strong\u003e?
I use Microsoft's unobtrusive validation to display this in my view:
#Html.ValidationMessageFor(m => m.Username)
which causes it to appear as follows in the page source:
This is already in use. How about
<strong>foo123</strong>
?
As you can see, the text is split over three lines. This is not a problem in Firefox, but in Chrome these new lines are causing the displayed text to break in a similar manner to <br />. I believe the encoding is to blame for this - can anyone explain why? Is there any solution to this issue?
Thank you in advance.
Without having tried it, you could try to replace newlines in the string with... nothing?
#Html.ValidationMessageFor(m => m.Username).ToString().Replace(Environment.NewLine, "");
Feels really weird that would be the problem though since it's just in Chrome, double-check CSS rules. Or just surround the validation message in a p-tag?
If they are displayed with line breaks on the actual page, then first thing I would do is inspect <strong/> tag and see if there is any CSS that defines it as display:block; or overrides white-space property.
If you are concerned about output of the DOM explorer... That's just how Chrome displays DOM trees. These three lines are each individual nodes (2 text nodes and one element node), so they are treated as equal. If you inspect the first paragraph of my answer, you will see the same thing.
try tweaking with css.
\u003cdiv\u003e
This is already in use. How about \u003cstrong\u003efoo123\u003c/strong\u003e?
\u003c/div\u003e?
I think this is due the some padding issue. Upload the generated Html code of the page.
These spaces are not added by me on HTML SIDE and i cannot edit HTML
I want to know what should my comparison string?
I am using watin to automate website testing process but I am unable to encounter only one button.Every other works
watin searches content by name /values /id and many more and works fine but when i see the value of the submit button that i need to be clicked it has some breaks &nsbp so i think they are playing some role
Here is the html:
<span class='button'><input type="submit" value=" Login " /></span>
<span class='button'><input type="button" value=" Back " onclick="history.back(-1)" /></span>
and here is the code to search
browser.Button(WatiN.Core.Find.ByValue(" Login ")).Click();
what can be done??
-- Suggestion -- (i.e. too big for a comment)
You shouldn't use to add spaces to the submit button. Rather, you should use CSS to style the button to your liking. So you would have something like:
input[type=button] {
padding:10px;
min-width: 150px;
}
By the same token, this could eliminate any of the issues you're having with selecting the button. It could be an issue of encodings breaking with watin and as a result, doing this with CSS will make debugging the issue much cleaner and much easier.
Edit:
Have you tried searching by ID as opposed to by value? ID's are supposed to be unique on a page, so if it doesn't find it by those means, then that's one issue that can be rules out. It could also be the fact that you're searching for a button. A <button> is not the same as a <input type="button">.
Edit 2: Even though the issue was due to encodings breaking, I still recommend you reset that button to reset the text (removing all the non breaking spaces) and attach an id/name to it. The reason being for internationalization purposes - and if for some reason you modify the size of the button in the designer, or i18n the app and the text is different, your test will break.
You shouldn't use entities with WatiN.
This code will work, but you have to use real non-breaking space character:
browser.Button(
WatiN.Core.Find.ByValue(
" Login ")).Click();
This is probably inconvenient, but you could use (after adding reference to System.Web) HttpUtility class:
browser.Button(
WatiN.Core.Find.ByValue(
System.Web.HttpUtility.HtmlDecode(
" Login "))).Click();
But, if I were you, I would just go with Regex:
browser.Button(
WatiN.Core.Find.ByValue(
new Regex(#"^\s*Login\s*$"))).Click();
or even new Regex("Login").
Interesting thing: If you ever will have to Find.ByText you don't have to bother so much, and you can use regular space (ie. not exactly non-breaking space). That's because native IE IHTMLElement::getAttribute (http://msdn.microsoft.com/en-us/library/aa752280(VS.85).aspx) converts from innertext attribute to regular spaces, but from value, id etc. it doesn't ( are converted to real non-breaking spaces - 0xA0)
Wow, you really like spaces! I would remove those and use padding/margins like html was designed to be used. Then you wont need all those spaces and you can assign a proper value to your button which watiN will recognize.
I think it is because the in the HTML source is actually an escaped version of the special character that represents a none breaking space. So in you C# source, you'll probably need that character instead of the html entity code. I think you can find the code of that character by using this button to submit a GET form. It will show the escaped character code in the url.
Of course it is better not to put the spaces in there at all. You should give the button a padding using CSS instead.