search

abpframework / abp

Open-source web application framework for ASP.NET Core! Offers an opinionated architecture to build enterprise software solutions with best practices on top of the .NET. Provides the fundamental infrastructure, cross-cutting-concern implementations, startup templates, application modules, UI themes, tooling and documentation.
https://abp.io
GNU Lesser General Public License v3.0
12.77k stars 3.41k forks source link

Html encode text fields in response against XSS attacks (Cross Site Scripting) #7751

Open ebicoglu opened 3 years ago

ebicoglu commented 3 years ago

Prevent client-side scripts to run in web browser. Automatically encode HTML or escape chars in Ajax responses so that code in <script></script> tags cannot be evaluated. There maybe multiple targeted devices that's why encoding should be done only in web layer. According to me, this should be done in the response not in the request because if a 3rd party is inserting an infected data to the database, ABP should encode those as well.

When you create a new role with the name : <script>alert(1)</script> All the pages that return role name, evaluates this script. eg :https://localhost:44303/Identity/Users/CreateModal

image image image image

https://docs.microsoft.com/en-us/aspnet/core/security/cross-site-scripting https://docs.microsoft.com/en-us/aspnet/core/security/anti-request-forgery

iyilm4z commented 3 years ago

In this case, we have stored xss which means the record is in db anymore. As it's mentioned encoding output is a good option for stored xss case. However as you may guess we also should validate input before saving it into db. Imho abp needs more generic implementation for xss case, just encoding output is not enough.

Well, just off the top of my head, we could use an ActionFilter to encode each property.

Cainor commented 2 years ago

Hey guys, was this implemented in the framework? or should we implement it manually?

Thanks.