[Turn] common HTML helper methods resistance to XSS attacks

ASP & jquery Pay attention to small details to prevent XSS attacks

• Objective

  The most scary thing about developing a Web site is that developers write a site that is offensive, and many developers, if they don't pay attention, will step into the Cross-site Scripting (XSS) Hell, the solution is simple but easy to set foot in, As a younger brother has also jumped into many times, especially through jQuery in the operation of Dynamic Web page is very easy to use the wrong way to cause XSS error occurred, so this side of the author has collated several writing techniques to share with you how to prevent XSS attacks.

  XSS script attack

  Let's take a look at the bottom of the screen, this is a simple message to send the window, and if today hackers in the window input Javascript fragments, will result in this:

  
  

  Imagine this is a horrible behavior, on behalf of hackers as long as the understanding of Javascript can start to disrupt your site, it is worth noting that if the way to display content is to let the user input after sending out the display or through Ajax to obtain page data and display, you need to pay attention to the danger of XSS exists.

  Tips for prevention

  1. In general, we are in the process of developing the site, it is possible to temporarily close the basic protection function for the needs of the project, so before you go online remember to check that the settings of Web. config are normal.

  <system.web>
  <pages validaterequest= "true"/>//Preset for ture + turn on protection
  </system.web>

  2. Common methods can use Server.HTMLEncode to encode content:

  String value = Server.HTMLEncode ("<script>alert (' XSS attack ');</script>"), and if the. Net Framework used is The 4.5 version can encode the content using the new method Antixssencoder.htmlencode:

  Need to refer to System.Web.Security.AntiXss;
  String value = Antixssencoder.htmlencode ("<script>alert (' XSS attack ');</script>", true); 3. If you are developing using ASP. Also helped me with most of the security issues when displaying data using Html Helper in View.

  First we deliberately do a malicious program code that will cause XSS attacks, which is the Controller in ASP.

  Public ActionResult Index ()
  {
  Testmodel model = new Testmodel ();
  Model. Xssatack = "<script>alert (' attack ');</script>";
  return View (model);
  }

  Here are a few ways to show the data in View to examine how the various methods prevent XSS:

  @Html. displayfor (p = p.xssatack) attack failed, display plain text

  @Html. Displayformodel () attack failed, display plain text

  @Html. editorfor (P = p.xssatack) attack failed, display input volume label

  @Html. Encode (Model.xssatack) attack failed, encode content @html.raw (model.xssatack)//attack successful, jump out of alert window

  @Html. displaytextfor (P = p.xssatack)//attack successfully, out of alert window test results show that Html.raw and html.displaytextfor can cause XSS attacks, so in developing as P.net MVC should also use these Html Helper carefully, you prevent unnecessary problems occur, and if the need is to jump out of an alert to remind users, you can also use these two methods to do data display. Www.it165.net

  4. We should also use the. html method carefully in JQuery.

  Error Demonstration II

  <table>
  <tbody>
  <tr>
  <TD class= "TD1" ></td>
  </tr>
  </tbody>
  </table>

  <script>
  var result = "<script>alert (' attack success ')";
  Through the. Html method will output the content into HTML, will have the opportunity to cause XSS attacks
  $ (". TD1"). HTML (result);
  </script>

  If you simply display TD content, you should use the. Text method to set the value

  $ (". TD1"). Text (result); Error Demonstration II

  Suppose we get the content of the table through Ajax and use. html to set the data will have an XSS attack problem.

  Controller:

  Public Jsonresult GetData ()
  {
  var data = new {id = "s001", name = "<script>alert (' XSS attack ') </script>"};
  return Json (data, jsonrequestbehavior.allowget);
  }view:

  <table id= "Gridcontent" >
  </table>

  <script>
          $ (function () {
               $.getjson ("/home/getdata/", function (data) {
                   var tr = "";
                  TR + = "<tr>" ;
                  TR + = "<td>" + data["id"] + "</td>";
                  TR + = "<td>" + data["name"] + "</td></tr>";
                  $ ("#GridContent" ). HTML (TR);
             });
         });
  </script>

  The solution can directly change the original wording, let us through jQuery to select to the $ (TD) object, and directly to the TD set value, of course, this practice in the performance is really not excellent, after all, if the self-material will cost a lot of performance, of course, the more accurate approach is directly from the Server The end is coded to guard against this problem, and of course there are other practices like checking the string with a Regex expression ..., but it's a little more complicated.

  5. Encode parameters using encodeURIComponent through Ajax calls

  var arg = encodeuricomponent ("http://tw.yahoo.com");
  $.getjson ("/home/getdata/", {id:arg},function (data) {
  Do somthing
  });

  Summarize

  In fact, so many of the methods of prevention, the main problem is that when the user first input to do a complete verification, should not let users pass out of the data will appear to cause the vulnerability of the program, the front-end verification of the backend in the data checks, to make our site control optimization.

  Original: http://www.it165.net/pro/html/201305/5947.html

[Turn] common HTML helper methods resistance to XSS attacks