0

I'm making and setting AntiXssEncoder for my web project which uses mvc3 and .net4, and I've done these steps:

  • add AxtiXSSLibrary reference
  • create AntiXSSEncoder derived from HttpEncoder
  • override the HtmlEncode method: output.Write(Encoder.HtmlEncode(value));
  • set encoderType in web.config to <httpRuntime encoderType="AntiXSSEncoder, MyDll"/>

But I still can see the alert popup by xss input (XssTest<script>alert("test");</script>).

So I tested and found out the default encoder doesn't encode values which are assigned to ViewBag. My test code is below and it shows one isn't encoded.

//In controller code
[ValidateInput(false)]
public ActionResult AntiXss(string TextArea)
{
    ViewBag.DisplayInput = TextArea;
    ViewBag.DisplayEncodedInput = Encoder.HtmlEncode(TextArea);

    return View();
}

//In view code
@using (Html.BeginForm("AntiXss", "Test"))
{
    @Html.TextArea("TextArea")
    <p/>
    @Html.Raw(ViewBag.DisplayInput)
    <p/>
    @Html.Raw(ViewBag.DisplayEncodedInput)
    //@ViewBag.DisplayInput
    <p/>
    <input type="submit" value="ok"/>
}

//In redered page code
<textarea id="TextArea" name="TextArea">&#13;&#10;XssTest&lt;script&gt;alert(&quot;Test&quot;);&lt;/script&gt;</textarea>    <p/>
XssTest<script>alert("Test");</script>    <p/>
XssTest&lt;script&gt;alert(&quot;Test&quot;);&lt;/script&gt;    <p/>

Can any one give me an answer or clue?

GSerg
  • 76,472
  • 17
  • 159
  • 346
genki98
  • 680
  • 1
  • 11
  • 31
  • You are calling `@Html.Raw` which is supposed to not encode ths string. Why do you need a custom encoder in the first place? Everything output by Razor is encoded, unless passed to `@Html.Raw`. You could simply write `@ViewBag.DisplayInput` in the view and that would be encoded without any custom encoders. – GSerg May 12 '14 at 08:00
  • Well, even though calling @Html.Raw, the 'DisplayEncodedInput' works exact what I expect. I don't think that's the problem. And I just want to allow html input to users and make application safe from xss. Thanks anyway. – genki98 May 12 '14 at 08:33
  • `DisplayEncodedInput` works because you manually encode the value if the controller, then `Raw` displays it without additional actions. With Razor you simply output the user input, this is how it is designed. It is safe unless you pass it to the unsafe `Html.Raw` (and funnily, you are trying to use `Raw` to make it safe). See yourself - remove your custom encoder and replace calls to `@Html.Raw` with `@ViewBag.DisplayInput` and `@ViewBag.DisplayEncodedInput`. – GSerg May 12 '14 at 09:00
  • You are right. I manually encoded the value, but that's the point why I'm trying to use my encoder instead of default encoder!!! I assumed that registering my encoder as default encoder would help me to encode every html before it's rendered, so I wouldn't need to encode manually. However it isn't working as I expected, so I'm asking how to do it. – genki98 May 12 '14 at 09:27
  • Every HTML is encoded before it is rendered unless you pass it to `Html.Raw`. You pass it to `Html.Raw` so it is not encoded. You do not need a custom encoder to make this work. However if you do provide a custom encoder, even though you don't need to, `Html.Raw` will still not use it. – GSerg May 12 '14 at 09:32
  • Oh! Doesn't `Html.Raw` use encoder? Doesn't it decode values which are encoded once? – genki98 May 13 '14 at 01:17
  • No it does not decode and it does not care what the string contains. It creates an `MvcHtmlString` and puts the provided string in it. The MVC engine [knows](http://stackoverflow.com/q/2293357/11683) that `MvcHtmlString` does not need further encoding for output. – GSerg May 13 '14 at 06:58

0 Answers0