Skip to content Skip to sidebar Skip to footer
Home / Asp.net / C# / Javascript / Jquery / Security

HTML Tag Injection In Asp.net

Post a Comment
My security team reported one html tag injection security issue for the below code function ClosePopUp(objBhID) { var pageName = window.location.pathname; var moda

Solution 1: 

<%= HttpUtility.UrlEncode( Request.QueryString["ID"] ) %>

Solution 2:

Although the other answer will work in this case for URLs, because the built in URL encoding happens to encode html and Javascript escape characters, this is not a complete solution for using dynamic server-side values within Javascript. Therefore I post my answer here so hopefully no one falls into the trap of using the wrong encoding and produces something insecure.

The OWASP rule is:

Except for alphanumeric characters, escape all characters less than 256 with the \xHH format to prevent switching out of the data value into the script context or into another attribute. DO NOT use any escaping shortcuts like \" because the quote character may be matched by the HTML attribute parser which runs first. These escaping shortcuts are also susceptible to "escape-the-escape" attacks where the attacker sends \" and the vulnerable code turns that into \" which enables the quote.

However, an easier, and imo simpler solution is to never put server-side data within any script tag or script enabled attribute at all. Use HTML5 data attributes, then you can insert your data HTML encoded into a safer HTML context.

I see you appear to be using JQuery. Why not do the following, then you can use the built-in ASP.NET encoding functions?

<div id="myDynamicData" data-partnerId="<%=Server.HTMLEncode(Request.QueryString["partnerid"])%>" data-id="<%=Server.HTMLEncode(Request.QueryString["id"]%>)" />

Or simply

<div id="myDynamicData" data-partnerId="<%:Request.QueryString["partnerid"]%>" data-id="<%:Request.QueryString["id"]%>" />

on newer versions of .NET.

Your code then becomes:

function ClosePopUp(objBhID) {
        var pageName = window.location.pathname;
        var modalPopupBehavior = $find(objBhID);
        if (modalPopupBehavior != null && modalPopupBehavior != 'undefined') {
            modalPopupBehavior.hide();
        }
        if (objBhID == 'bhThankMsg' && pageName == '/Projects/Comm.aspx') {
            var objPartnerID = $('#myDynamicData').data('partnerId');
            var id = $('#myDynamicData').data('id');
            if (objPartnerID) {
                window.location = '/Projects/Comm.aspx?Id=' + encodeURIComponent(id) + '&partnerid=' + encodeURIComponent(objPartnerID);                
            }
            else {
                window.location = '/Projects/Comm.aspx?Id=' + encodeURIComponent(id);
            }
        }
    }

Post a Comment for "HTML Tag Injection In Asp.net"