0

In my Page_Load method for an ASP.NET page, I have this:

BtnUploadDocument.Attributes.Add("onclick",
                String.Format("Javascript:var PopUpWin = window.open('{0}','_blank','scrollbars=yes, title=yes,toolbar=no,location=no,resizable=yes,status=no');return false;",
              SQLManager.GetUploadDocumentLink(poid, pono)))
            );

How do I ensure that this is not vulnerable to an XSS attack?

Gezim
  • 7,112
  • 10
  • 62
  • 98
  • Stop using pop ups every single person in the world hates them. – Chris Marisic Oct 29 '14 at 18:01
  • XSS attacks are generated by user input through the URL, or by toying with a POST object. If 'GetUploadDocumentLink' doesn't ever look at something passed in via the Request object, then as long as GetUploadDocumentLink only retrieves data that is not provided by the user, it should be reasonably safe. Obviously, a user could use a Developer Tool to alter the results after they are loaded to the screen, but that's a different matter – guildsbounty Oct 29 '14 at 18:05
  • 2
    @ChrisMarisic, I think you're rounding up and this adds nothing to my question. – Gezim Oct 29 '14 at 18:06
  • @guildsbounty, I should have clarified that GetUploadDocumentLink definitely returns results that were input by user at one point. So can't rely on that being safe. – Gezim Oct 29 '14 at 18:07
  • Could you post details of how that information is stored? Because you would want to intercept XSS-dangerous data before it is stored into your DB, not on retrieval of it from the DB. Ultimately, I'd suggest validating the data as it is input to ensure that it is a pure URL that doesn't contain a certain selection of characters, or the characters are safely URL-encoded. – guildsbounty Oct 29 '14 at 18:10
  • Just to clarify, the 'characters' you generally need to worry about being in a URL are single quotes, double quotes, and, in unusual cases, semi-colons. You can either URL-escape those characters, or simply ban them from being in the url string altogether. Now, what happens on the receiving end of that URL is on the head of the person who controls that link... – guildsbounty Oct 29 '14 at 18:16

1 Answers1

0

If you follow the OWASP XSS (Cross Site Scripting) Prevention Cheat Sheet, the rule JavaScript Escape Before Inserting Untrusted Data into JavaScript Data Values applies here.

This is defined as:

Except for alphanumeric characters, escape all characters less than 256 with the \xHH format to prevent switching out of the data value into the script context or into another attribute

so you will need to JSEncode using a function. Note you should adapt this to follow the OWASP recommendation and encode all non alphanumerics otherwise there will be ways for an attacker to break out and cause XSS.

Your code will then become:

BtnUploadDocument.Attributes.Add("onclick",
                String.Format("Javascript:var PopUpWin = window.open('{0}','_blank','scrollbars=yes, title=yes,toolbar=no,location=no,resizable=yes,status=no');return false;",
              JSEncode.EncodeJsString(SQLManager.GetUploadDocumentLink(poid, pono))))
            );
Community
  • 1
  • 1
SilverlightFox
  • 32,436
  • 11
  • 76
  • 145