4

I want to prevent script injection from my input controls. So after lots of research i found one solution

<httpRuntime requestValidationMode="2.0"/>

in web.config. And at the time of saving it to the database, encode that data and save.

But if my textbox contain any malicious data, I am able to save that data (using Server.HtmlEncode(data)) in database and show to the user.

It is working fine with all the browsers except Chrome. In chrome, it's not firing any event after that.

Could you please tell me about possible solutions to this. I'm certainly open to alternatives

BlackMamba
  • 451
  • 3
  • 7
Vikas Pawar
  • 135
  • 1
  • 2
  • 11

2 Answers2

0

Quite an 'old' technology now but I'd recommend investigating the use of the AntiXSS library from Microsoft. From the page there is also this link describing how to prevent Cross-Site Scripting. There's a newer version here.

The Microsoft Anti-Cross Site Scripting Library V4.2 (AntiXSS V4.2) is an encoding library designed to help developers protect their ASP.NET web-based applications from XSS attacks. It differs from most encoding libraries in that it uses the white-listing technique -- sometimes referred to as the principle of inclusions -- to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). The white-listing approach provides several advantages over other encoding schemes.

Here's a similar question to your one that discusses XSS security requirements for 'newer' .Net 4.0 web sites.

Community
  • 1
  • 1
Damon
  • 3,004
  • 7
  • 24
  • 28
-2

Thanks for helping me.

But I have fixed that problem using client side script. I have added that script on master page which will get execute on each request and show alert message client side if it contains malicious text in textboxes. This may not be ideal solution, but it works for me.

//This function should be on master page and fire on each submit
function OnSubmitHandler() {

        var isValid=true;
        $(theForm).find('input:text,textarea').each(function () {
            var regex = /(^((?=.*&#).*)$)|(^((?=.*(<[A-Za-z]|<!|<\?|<\/)).*)$)/;
            // Replace is used to remove new line characters from textarea
            var text = $(this).val().replace(/[\r\n]+(?=[^\r\n])/g, ' ');
            if (regex.test(text)) {
                alert('Invalid Data.\nData containing "&#" or containing "<"\nfollowed by "?" or "/" or "!" or any alphabet not allowed.\nPlease remove these characters to proceed.');
                isValid= false;
            }

        });
        return isValid;
    }
Vikas Pawar
  • 135
  • 1
  • 2
  • 11