Sideway
output.to from Sideway
Draft for Information Only

Content

How to: Protect Against Script Exploits
 Protect Against Script Exploits in a Web Application
 To apply HTML encoding to a string
  Note
  Examples
   Examples of ASP.NET C# page
   Examples of ASP.NET VB page
 See Also
 Concepts
 Source and Reference

How to: Protect Against Script Exploits

Protect Against Script Exploits in a Web Application

Most scripting exploits occur when users can get executable code (or script) into your application. By default, ASP.NET provides request validation, which raises an error if a form post contains any HTML.
You can help protect against script exploits in the following ways:
  • Perform parameter validation on form variables, query-string variables, and cookie values. This validation should include two types of verification: verification that the variables can be converted to the expected type (for example, convert to an integer, convert to date-time, and so on), and verification of expected ranges or formatting. For example, a form post variable that is intended to be an integer should be checked with the Int32.TryParse method to verify the variable really is an integer. Furthermore, the resulting integer should be checked to verify the value falls within an expected range of values.
  • Apply HTML encoding to string output when writing values back out to the response. This helps ensure that any user-supplied string input will be rendered as static text in the browsers instead of executable script code or interpreted HTML elements.
HTML encoding converts HTML elements using HTML–reserved characters so that they are displayed rather than executed.

To apply HTML encoding to a string

Before displaying strings, call the HtmlEncode method. HTML elements are converted into string representations that the browser will display rather than interpret as HTML.
The following example illustrates HTML encoding. In the first instance, the user input is encoded before being displayed. In the second instance, data from a database is encoded before being displayed.

Note

This example will only work if you disable request validation in the page by adding the @ Page attribute ValidateRequest="false". It is not recommended that you disable request validation in a production application, so make sure that you enable request validation again after viewing this example.

Examples

Examples of ASP.NET C# page

Examples of ASP.NET C# page
ASP.NET Code Input:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
    <head runat="server">
        <title>Sample Page</title>
        <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
        <%@ Page Language="C#" %>
        <script runat="server">
        // Define a handler for the button click.
        protected void SubmitBtn_Click(object sender, EventArgs e)
        {
            MySpan.InnerHtml = "HtmlEncode = " + Server.HtmlEncode(Server.HtmlEncode(MyTextBox.Text)) + ".";
        }
        </script>
    </head>
    <body>
        <form id="form1" runat="server">
            <h3>HtmlEncode Page Example</h3>
            <div>
                <table>
                    <tr>
                        <td>Enter String '&lt;' Only: </td>
                        <td> <asp:textbox id="MyTextBox" runat="server"/> </td>
                    </tr>
                    <tr>
                        <td>
                        <asp:Button id="MyButton" text="Click Here" onclick="SubmitBtn_Click" runat="server"/></td>
                    </tr>
                    <tr>
                        <td> <asp:CompareValidator ID="ValueValidator1" runat="server" ErrorMessage="ValueValidator" ControlToValidate="MyTextBox" ValueToCompare="<" /> </td>
                        <td><span id="MySpan" runat="server" /></td>
                    </tr>
                </table>
            </div>
        </form>
    </body>
</html>
HTTP Response Output:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
    <head><title>
	Sample Page
</title><meta http-equiv="Content-Type" content="text/html;charset=utf-8" /></head>
    <body>
        <form method="post" action="./aspnetht_protectagainstscriptexploits_001a_01.aspx" onsubmit="javascript:return WebForm_OnSubmit();" id="form1">
<div class="aspNetHidden">
<input type="hidden" name="__EVENTTARGET" id="__EVENTTARGET" value="" />
<input type="hidden" name="__EVENTARGUMENT" id="__EVENTARGUMENT" value="" />
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwULLTIxMzExNTkwMDdkZCh1UYC3hENj2ouNkNAeUXXZVucJ9VjA5HC/Ic7EuT37" />
</div>

<script type="text/javascript">
//<![CDATA[
var theForm = document.forms['form1'];
if (!theForm) {
    theForm = document.form1;
}
function __doPostBack(eventTarget, eventArgument) {
    if (!theForm.onsubmit || (theForm.onsubmit() != false)) {
        theForm.__EVENTTARGET.value = eventTarget;
        theForm.__EVENTARGUMENT.value = eventArgument;
        theForm.submit();
    }
}
//]]>
</script>


<script src="/sideway/WebResource.axd?d=c0VQ4AP-KK4FHoaOdcAZOCJhX3lppsLz7VfAgWyB2y5HqnBnSm15H8NFEFRPslCkG3DpC6-rf3gN1xqhjtS2DHh7wpbKtaEKERbM94a2ckY1&amp;t=637688112097945149" type="text/javascript"></script>


<script src="/sideway/WebResource.axd?d=KTG0uDevdKWz2OmyVNVBYJQUfGzYPcBkQtffgbcLMp-XUh_hG-KITZAyKQSMEEO5V_FNrBJTWz4n-JMWOTVY6pSHvvSjU3dqLkZyNqqMjuM1&amp;t=637688112097945149" type="text/javascript"></script>
<script type="text/javascript">
//<![CDATA[
function WebForm_OnSubmit() {
if (typeof(ValidatorOnSubmit) == "function" && ValidatorOnSubmit() == false) return false;
return true;
}
//]]>
</script>

<div class="aspNetHidden">

	<input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGENERATOR" value="9C4D66ED" />
	<input type="hidden" name="__EVENTVALIDATION" id="__EVENTVALIDATION" value="/wEdAAPGxH00v12VbfJ2hGwsHmCk0e0Nr0U0RT07K3lzrTTZzszCeMQBMuEffVPlinxaUAbEZF5m5/C6swPjZFvTQVipVw6/qMycwLyAJ5r2zxBEIA==" />
</div>
            <h3>HtmlEncode Page Example</h3>
            <div>
                <table>
                    <tr>
                        <td>Enter String '&lt;' Only: </td>
                        <td> <input name="MyTextBox" type="text" id="MyTextBox" /> </td>
                    </tr>
                    <tr>
                        <td>
                        <input type="submit" name="MyButton" value="Click Here" onclick="javascript:WebForm_DoPostBackWithOptions(new WebForm_PostBackOptions(&quot;MyButton&quot;, &quot;&quot;, true, &quot;&quot;, &quot;&quot;, false, false))" id="MyButton" /></td>
                    </tr>
                    <tr>
                        <td> <span id="ValueValidator1" style="visibility:hidden;">ValueValidator</span> </td>
                        <td><span id="MySpan"></span></td>
                    </tr>
                </table>
            </div>
 <script type="text/javascript">
//<![CDATA[
var Page_Validators =  new Array(document.getElementById("ValueValidator1"));
//]]>
</script>

<script type="text/javascript">
//<![CDATA[
var ValueValidator1 = document.all ? document.all["ValueValidator1"] : document.getElementById("ValueValidator1");
ValueValidator1.controltovalidate = "MyTextBox";
ValueValidator1.errormessage = "ValueValidator";
ValueValidator1.evaluationfunction = "CompareValidatorEvaluateIsValid";
ValueValidator1.valuetocompare = "<";
//]]>
</script>


<script type="text/javascript">
//<![CDATA[

var Page_ValidationActive = false;
if (typeof(ValidatorOnLoad) == "function") {
    ValidatorOnLoad();
}

function ValidatorOnSubmit() {
    if (Page_ValidationActive) {
        return ValidatorCommonOnSubmit();
    }
    else {
        return true;
    }
}
        //]]>
</script>
</form>
    </body>
</html>
ASPX Web Page Embedded Output:

Examples of ASP.NET VB page

Examples of ASP.NET VB page
ASP.NET Code Input:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
    <head runat="server">
        <title>Sample Page</title>
        <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
        <%@ Page Language="vb" %>
        <script runat="server" >
        'Define a handler for the button click.
            Protected Sub SubmitBtn_Click(ByVal sender As Object,  ByVal e As System.EventArgs)
            MySpan.InnerHtml = "HtmlEncode = " + Server.HtmlEncode(Server.HtmlEncode(MyTextBox.Text)) + "."
            end sub
        </script>
    </head>
    <body>
        <form id="form1" runat="server">
            <h3>HtmlEncode Page Example</h3>
            <div>
                <table>
                    <tr>
                        <td>Enter String '&lt;' Only: </td>
                        <td> <asp:textbox id="MyTextBox" runat="server"/> </td>
                    </tr>
                    <tr>
                        <td>
                        <asp:Button id="MyButton" text="Click Here" onclick="SubmitBtn_Click" runat="server"/></td>
                    </tr>
                    <tr>
                        <td> <asp:CompareValidator ID="ValueValidator1" runat="server" ErrorMessage="ValueValidator" ControlToValidate="MyTextBox" ValueToCompare="<" /> </td>
                        <td><span id="MySpan" runat="server" /></td>
                    </tr>
                </table>
            </div>
        </form>
    </body>
</html>
HTTP Response Output:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
    <head><title>
	Sample Page
</title><meta http-equiv="Content-Type" content="text/html;charset=utf-8" /></head>
    <body>
        <form method="post" action="./aspnetht_protectagainstscriptexploits_001a_02.aspx" onsubmit="javascript:return WebForm_OnSubmit();" id="form1">
<div class="aspNetHidden">
<input type="hidden" name="__EVENTTARGET" id="__EVENTTARGET" value="" />
<input type="hidden" name="__EVENTARGUMENT" id="__EVENTARGUMENT" value="" />
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwULLTIxMzExNTkwMDdkZIc+bDf9Ojt63tWqDP3m5Vphi0S4oK/+aXGSzV/UqSSW" />
</div>

<script type="text/javascript">
//<![CDATA[
var theForm = document.forms['form1'];
if (!theForm) {
    theForm = document.form1;
}
function __doPostBack(eventTarget, eventArgument) {
    if (!theForm.onsubmit || (theForm.onsubmit() != false)) {
        theForm.__EVENTTARGET.value = eventTarget;
        theForm.__EVENTARGUMENT.value = eventArgument;
        theForm.submit();
    }
}
//]]>
</script>


<script src="/sideway/WebResource.axd?d=c0VQ4AP-KK4FHoaOdcAZOCJhX3lppsLz7VfAgWyB2y5HqnBnSm15H8NFEFRPslCkG3DpC6-rf3gN1xqhjtS2DHh7wpbKtaEKERbM94a2ckY1&amp;t=637688112097945149" type="text/javascript"></script>


<script src="/sideway/WebResource.axd?d=KTG0uDevdKWz2OmyVNVBYJQUfGzYPcBkQtffgbcLMp-XUh_hG-KITZAyKQSMEEO5V_FNrBJTWz4n-JMWOTVY6pSHvvSjU3dqLkZyNqqMjuM1&amp;t=637688112097945149" type="text/javascript"></script>
<script type="text/javascript">
//<![CDATA[
function WebForm_OnSubmit() {
if (typeof(ValidatorOnSubmit) == "function" && ValidatorOnSubmit() == false) return false;
return true;
}
//]]>
</script>

<div class="aspNetHidden">

	<input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGENERATOR" value="2695E677" />
	<input type="hidden" name="__EVENTVALIDATION" id="__EVENTVALIDATION" value="/wEdAAP+edIS3oMBXvxv3UhrIA6U0e0Nr0U0RT07K3lzrTTZzszCeMQBMuEffVPlinxaUAZ3x4jCUh3k/UBUUe6iOUa2VeJliejpVW3tViEepXL9fQ==" />
</div>
            <h3>HtmlEncode Page Example</h3>
            <div>
                <table>
                    <tr>
                        <td>Enter String '&lt;' Only: </td>
                        <td> <input name="MyTextBox" type="text" id="MyTextBox" /> </td>
                    </tr>
                    <tr>
                        <td>
                        <input type="submit" name="MyButton" value="Click Here" onclick="javascript:WebForm_DoPostBackWithOptions(new WebForm_PostBackOptions(&quot;MyButton&quot;, &quot;&quot;, true, &quot;&quot;, &quot;&quot;, false, false))" id="MyButton" /></td>
                    </tr>
                    <tr>
                        <td> <span id="ValueValidator1" style="visibility:hidden;">ValueValidator</span> </td>
                        <td><span id="MySpan"></span></td>
                    </tr>
                </table>
            </div>
 <script type="text/javascript">
//<![CDATA[
var Page_Validators =  new Array(document.getElementById("ValueValidator1"));
//]]>
</script>

<script type="text/javascript">
//<![CDATA[
var ValueValidator1 = document.all ? document.all["ValueValidator1"] : document.getElementById("ValueValidator1");
ValueValidator1.controltovalidate = "MyTextBox";
ValueValidator1.errormessage = "ValueValidator";
ValueValidator1.evaluationfunction = "CompareValidatorEvaluateIsValid";
ValueValidator1.valuetocompare = "<";
//]]>
</script>


<script type="text/javascript">
//<![CDATA[

var Page_ValidationActive = false;
if (typeof(ValidatorOnLoad) == "function") {
    ValidatorOnLoad();
}

function ValidatorOnSubmit() {
    if (Page_ValidationActive) {
        return ValidatorCommonOnSubmit();
    }
    else {
        return true;
    }
}
        //]]>
</script>
</form>
    </body>
</html>
ASPX Web Page Embedded Output:

See Also

Concepts

Source and Reference

https://docs.microsoft.com/en-us/previous-versions/aspnet/a2a4yykt(v=vs.100)

©sideway

ID: 211000013 Last Updated: 10/13/2021 Revision: 0 Ref:

close

References

  1. Active Server Pages,  , http://msdn.microsoft.com/en-us/library/aa286483.aspx
  2. ASP Overview,  , http://msdn.microsoft.com/en-us/library/ms524929%28v=vs.90%29.aspx
  3. ASP Best Practices,  , http://technet.microsoft.com/en-us/library/cc939157.aspx
  4. ASP Built-in Objects,  , http://msdn.microsoft.com/en-us/library/ie/ms524716(v=vs.90).aspx
  5. Response Object,  , http://msdn.microsoft.com/en-us/library/ms525405(v=vs.90).aspx
  6. Request Object,  , http://msdn.microsoft.com/en-us/library/ms524948(v=vs.90).aspx
  7. Server Object (IIS),  , http://msdn.microsoft.com/en-us/library/ms525541(v=vs.90).aspx
  8. Application Object (IIS),  , http://msdn.microsoft.com/en-us/library/ms525360(v=vs.90).aspx
  9. Session Object (IIS),  , http://msdn.microsoft.com/en-us/library/ms524319(8v=vs.90).aspx
  10. ASPError Object,  , http://msdn.microsoft.com/en-us/library/ms524942(v=vs.90).aspx
  11. ObjectContext Object (IIS),  , http://msdn.microsoft.com/en-us/library/ms525667(v=vs.90).aspx
  12. Debugging Global.asa Files,  , http://msdn.microsoft.com/en-us/library/aa291249(v=vs.71).aspx
  13. How to: Debug Global.asa files,  , http://msdn.microsoft.com/en-us/library/ms241868(v=vs.80).aspx
  14. Calling COM Components from ASP Pages,  , http://msdn.microsoft.com/en-us/library/ms524620(v=VS.90).aspx
  15. IIS ASP Scripting Reference,  , http://msdn.microsoft.com/en-us/library/ms524664(v=vs.90).aspx
  16. ASP Keywords,  , http://msdn.microsoft.com/en-us/library/ms524672(v=vs.90).aspx
  17. Creating Simple ASP Pages,  , http://msdn.microsoft.com/en-us/library/ms524741(v=vs.90).aspx
  18. Including Files in ASP Applications,  , http://msdn.microsoft.com/en-us/library/ms524876(v=vs.90).aspx
  19. ASP Overview,  , http://msdn.microsoft.com/en-us/library/ms524929(v=vs.90).aspx
  20. FileSystemObject Object,  , http://msdn.microsoft.com/en-us/library/z9ty6h50(v=vs.84).aspx
  21. http://msdn.microsoft.com/en-us/library/windows/desktop/ms675944(v=vs.85).aspx,  , ADO Object Model
  22. ADO Fundamentals,  , http://msdn.microsoft.com/en-us/library/windows/desktop/ms680928(v=vs.85).aspx
close
IMAGE

Home 5

Business

Management

HBR 3

Information

Recreation

Hobbies 8

Culture

Chinese 1097

English 337

Reference 68

Computer

Hardware 154

Software

Application 207

Digitization 25

Latex 35

Manim 203

Numeric 19

Programming

Web 285

Unicode 504

HTML 65

CSS 63

SVG 9

ASP.NET 240

OS 422

DeskTop 7

Python 64

Knowledge

Mathematics

Formulas 8

Algebra 84

Number Theory 206

Trigonometry 31

Geometry 32

Coordinate Geometry 1

Calculus 67

Complex Analysis 21

Engineering

Tables 8

Mechanical

Mechanics 1

Rigid Bodies

Statics 92

Dynamics 37

Fluid 5

Fluid Kinematics 5

Control

Process Control 1

Acoustics 19

FiniteElement 2

Natural Sciences

Matter 1

Electric 27

Biology 1

Geography 1


Copyright © 2000-2021 Sideway . All rights reserved Disclaimers last modified on 06 September 2019