如何用错误消息修复网页(基本XSS)中与脚本相关的HTML标记的不正确中和? [英] How to fix Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) with error message?

问题描述

我们在登录页面中使用Web控制适配器.最近，我们在Web应用程序上运行VeraCode.在以下功能中，我们获得了CWE80，即网页(Basic XSS)中与脚本相关的HTML标签的不正确中和

We use web control adapter in our login page. Recently we run VeraCode on our web application. In following function, we got CWE80, Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS), on the line

rev.ErrorMessage = msg;

以下是WebControlAdapterExtender类中的函数.

Following is the function in the WebControlAdapterExtender class.

static public void WriteRegularExpressionValidator(HtmlTextWriter writer, RegularExpressionValidator rev, string className, string controlToValidate, string msg, string expression)
        {
            if (rev != null)
            {
                rev.CssClass = className;
                rev.ControlToValidate = controlToValidate;
                rev.ErrorMessage = msg;
                rev.ValidationExpression = expression;
                rev.RenderControl(writer);
            }
        }

有人建议如何解决此问题吗?

Does anyone have any suggestion how to fix this?

推荐答案

问题是'msg'被向下传递给您的函数，但是在使用之前没有中和-字符串使用'as -is'，因此可能包含会造成危害的脚本.对此有很好的说明，并解释了它为什么会引起问题: http://www.veracode .com/images/pdf/top5mostprevalent.pdf

The problem is that 'msg' is being passed down to your function, but there is no neutralization of this before it gets used - the string gets uses 'as-is' so could contain scripts that cause harm. There is a good description explaining this and why it is a problem: http://www.veracode.com/images/pdf/top5mostprevalent.pdf

我自己没有使用过，但是我认为ErrorMessage会在发生错误的情况下呈现和显示.因为如果"msg"是顽皮的代码片段，这将在最终页面上呈现，所以您正在使自己和用户暴露于安全漏洞中.

I've not used this myself, but I think ErrorMessage gets rendered and displayed in the event of an error. Because this will get rendered on the final page if 'msg' was a naughty snippet of code you are exposing yourself and your users to a security vulnerability.

已阅读此备忘单上的提示: https://www .owasp.org/index.php/XSS_％28Cross_Site_Scripting％29_Prevention_Cheat_Sheet

Have a read of the tips on this cheat sheet: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

您应该能够使用HtmlEncode来确保此HttpUtility.HtmlEncode(unencoded);

You should be able to use HtmlEncode to make this safe HttpUtility.HtmlEncode(unencoded);

rev.ErrorMessage = System.web.HttpUtility.HtmlEncode(msg);

这篇关于如何用错误消息修复网页(基本XSS)中与脚本相关的HTML标记的不正确中和?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！