如何用错误消息修复网页(基本XSS)中与脚本相关的HTML标记的不正确中和? [英] How to fix Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) with error message?
问题描述
我们在登录页面中使用Web控制适配器.最近,我们在Web应用程序上运行VeraCode.在以下功能中,我们获得了CWE80,即网页(Basic XSS)中与脚本相关的HTML标签的不正确中和
We use web control adapter in our login page. Recently we run VeraCode on our web application. In following function, we got CWE80, Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS), on the line
rev.ErrorMessage = msg;
以下是WebControlAdapterExtender类中的函数.
Following is the function in the WebControlAdapterExtender class.
static public void WriteRegularExpressionValidator(HtmlTextWriter writer, RegularExpressionValidator rev, string className, string controlToValidate, string msg, string expression)
{
if (rev != null)
{
rev.CssClass = className;
rev.ControlToValidate = controlToValidate;
rev.ErrorMessage = msg;
rev.ValidationExpression = expression;
rev.RenderControl(writer);
}
}
有人建议如何解决此问题吗?
Does anyone have any suggestion how to fix this?
推荐答案
问题是'msg'被向下传递给您的函数,但是在使用之前没有中和-字符串使用'as -is',因此可能包含会造成危害的脚本.对此有很好的说明,并解释了它为什么会引起问题: http://www.veracode .com/images/pdf/top5mostprevalent.pdf
The problem is that 'msg' is being passed down to your function, but there is no neutralization of this before it gets used - the string gets uses 'as-is' so could contain scripts that cause harm. There is a good description explaining this and why it is a problem: http://www.veracode.com/images/pdf/top5mostprevalent.pdf
我自己没有使用过,但是我认为ErrorMessage会在发生错误的情况下呈现和显示.因为如果"msg"是顽皮的代码片段,这将在最终页面上呈现,所以您正在使自己和用户暴露于安全漏洞中.
I've not used this myself, but I think ErrorMessage gets rendered and displayed in the event of an error. Because this will get rendered on the final page if 'msg' was a naughty snippet of code you are exposing yourself and your users to a security vulnerability.
已阅读此备忘单上的提示: https://www .owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
Have a read of the tips on this cheat sheet: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
您应该能够使用HtmlEncode来确保此HttpUtility.HtmlEncode(unencoded);
You should be able to use HtmlEncode to make this safe HttpUtility.HtmlEncode(unencoded);
rev.ErrorMessage = System.web.HttpUtility.HtmlEncode(msg);
这篇关于如何用错误消息修复网页(基本XSS)中与脚本相关的HTML标记的不正确中和?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!