0

I'm developing custom controls with security included. When the user does not have access to the control, the control makes itself disable but also go invisible. The control is not rendered and it does not appear on the page. At this point, everything is fine.

My question is how I can secure the control the prevent user to change the value?

I have injected an input in my form with Chrome HTML Inspector because like it should be, the field is not rendered, when I submit the form with the injected input with a new value, the server has the new value in the control value property. 

public enum UserRole {
   Standard,
   Administrator,
   [...]
}

//For this example, my custom control is derived from HtmlInputText.  [ToolboxData("<{0}:MyCustomControl runat=\"server\"></{0}:MyCustomControl>")]
public class MyCustomControl: System.Web.UI.HtmlControls.HtmlInputText
{
    public UserRole? MinimumRoleRequired { get; set; }

    protected override void OnLoad(EventArgs e)
    {
        //Simplified version
        if (this.Page.CurrentUser.Role < this.MinimumRoleRequired) 
        {
            this.Visible = false;
            this.Disabled = true;
            return;
        }
        [...]
    }

    protected override void Render(HtmlTextWriter writer)
    {
        if (!this.Visible || this.Disabled)
        {
            return;
        }
        [...]
    }
[...]
}

//My page who contain the control:

//HTML (MyPage.aspx)
<Controls:MyCustomControl ID="tbAdminOnly"runat="server"></Controls:MyCustomControl>


//C# (MyPage.aspx.cs)
public partial class UserEdit : Page
{
    protected override void OnInit(EventArgs e)
    {
       this.tbAdminOnly.MinimumRoleRequired = UserRole.Administrator;  
       [...]
    }

    protected override void OnLoad(EventArgs e)
    {
      base.OnLoad(e);
        if (this.IsPostBack)
        {
            string postBackValue = tbAdminOnly.Value;
            return;
        }
        tbAdminOnly.Value = "Hello world!";
    }
}

When I load the page as a standard user, the control is not rendered. But if I inject input in the html page 

//Note, i need to know the valid name/id but it could be done.
<input type="text" name="tbAdminOnly" id="tbAdminOnly" value="Damn shit">

The postBackValue is now the new value from the injected input. How I can prevent that?

Thanks.

ilkerkaran
  • 4,214
  • 3
  • 27
  • 42
TheQuebecker
  • 1
  • 2

1 Answers1

0

To prevent user from injecting html controls, you need to sanitize the inputs. There are similar posts. How to use C# to sanitize input on an html page?

Sujal
  • 671
  • 1
  • 16
  • 34
  • Thanks for your quick reply, but I have read about sanatizer and im not sure about it. I understand this library can "clean" the html, but i dont understand how this can be apply in my context. Could you give me a quick example how you would use a sanatizer in my context ? – TheQuebecker Jun 27 '19 at 11:12