How to avoid xss on asp:literal control?

Question

  string myContent="Hello"
  System.Web.UI.Webcontrols.Literal literal1=new System.Web.UI.Webcontrols.Literal();
  literal1.Text="<b>" + myContent + "</b><table><tr><td>HI</td></tr></table>" ;

But here I am in a situation where I must perform encoding on literal control text value (The reason is to prevent the literal control from XSS attack.). I am using asp.net c#.

So what I did is,

literal1.Text= AntiXssEncoder.HtmlEconde("<b>" + myContent + "</b><table><tr><td>HI</td></tr></table>");

So the output would be,

<b>Hello</b><table><tr><td>HI</td></tr></table>

I don't want the above output(plain text of my markupt) when I do encoding. I want it to render as

Hello
"HI-> should have been printed inside a html tag "

Also I know that the result of the literal control will be just a plain text If I do encoding on the literal control. I want to encode the literal control plus I don't want my literal control's text to render as a plain text. any help would be appreciable.

Can you give us a complete example? What is the actual problem you are facing? — Esko, Jul 06 '18 at 09:08
Please update your example with the actual problem and with expected output and what is the "wrong" output you are getting now? — Esko, Jul 06 '18 at 09:18
This question's definition has shifted twice. Please close this question and raise a new one called 'how to avoid xss using asp literal'. — Davesoft, Jul 06 '18 at 10:14
@Davesoft That is true, there was nothing in the original question about xss. — Esko, Jul 06 '18 at 10:17

species · Accepted Answer · 2018-07-06T10:58:47.257

Answer to your initial question: To prevent XSS insert the text into a Label and add that to a HtmlGenericControl of type "b" to sourround it with a bold-tag like this:

HtmlGenericControl bold = new HtmlGenericControl("b");
Label myContent = new Label();
myContent.Text = "Hello and some special characters <>";
bold.Controls.add(myContent);

The Label-Control will encode every special character inside, which should prevent any XSS attack.

For the new table-part of your question: I suggest not to construct your whole DOM inside of a Literal. That is pretty bad style and should only be used, if there's no other way. Use the available classes (i.e. Table) in the API of ASP.NET instead.

Esko · Answer 2 · 2018-07-06T09:38:50.563

0

You could simply do:

literal1.Text= "<b>" + HttpUtility.HtmlEncode(myContent) + "</b>";

Or better yet, use label-control add css-class to it with font-weight: bold;

edited Jul 06 '18 at 09:38

answered Jul 06 '18 at 09:26

Esko

4,109
2
22
37

Thanks. I already tried what you did. but still the code is vulnerable to XSS attack. Any help would be appreciable. – manju kaniappan Jul 06 '18 at 09:31
You should use HttpUtility.HtmlEncode for the input to sanitize it. – Esko Jul 06 '18 at 09:38
I have been advised not to use HttpUtility to prevent XSS attacks. Can you advise – manju kaniappan Jul 06 '18 at 10:07
Well read yourself https://stackoverflow.com/questions/1608854/what-is-the-difference-between-antixss-htmlencode-and-httputility-htmlencode it might be better to use AntiXssEncoder in some scenarios – Esko Jul 06 '18 at 10:18
opened a new Question "to avoid xss using asp literal" – manju kaniappan Jul 06 '18 at 10:24

How to avoid xss on asp:literal control?

2 Answers2