[研究][ASP.NET][C#][WebForm]Fortify SCA 報告 Eval()有 Cross-Site Scripting: Persistent解法
2020-10-20
2021-11-22 修訂
Eval() 有時候會被 Fortify SCA 報告有 Cross-Site Scripting: Persistent 問題,有時候又不會,敝人尚未弄清原因。
只要參考這篇用 HtmlEncode 或 HtmlSanitizer 就可解決。
[研究]一些HtmlEncode、HtmlSanitizer與Fortify SCA的XSS (Cross-Site Scripting)檢測https://shaurong.blogspot.com/2021/11/htmlencodehtmlsanitizerfortify-scaxss.html
Default.aspx
<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="Default.aspx.cs" Inherits="WebApplication6.Default" %> <!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml"> <head runat="server"> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/> <title></title> </head> <body> <form id="form1" runat="server"> <div> <asp:SqlDataSource ID="SqlDataSource1" runat="server" ConnectionString="<%$ ConnectionStrings:TestDBConnectionString %>" SelectCommand="SELECT * FROM [Table1]"> </asp:SqlDataSource> <br /> <asp:ListView ID="ListView1" runat="server" DataKeyNames="id" DataSourceID="SqlDataSource1" InsertItemPosition="LastItem"> <AlternatingItemTemplate> <tr style="background-color:#FFF8DC;"> <td> <asp:Button ID="DeleteButton" runat="server" CommandName="Delete" Text="刪除" /> <asp:Button ID="EditButton" runat="server" CommandName="Edit" Text="編輯" /> </td> <td> <asp:Label ID="idLabel" runat="server" Text='<%# WebApplication6.Common.AntiXssEval(Eval("id")) %>' /> </td> <td> <asp:Label ID="FieldTextLabel" runat="server" Text='<%# WebApplication6.Common.HtmlSanitizerEval(Eval("FieldText")) %>' /> </td> <td> <asp:Label ID="FieldDateTimeLabel" runat="server" Text='<%# Eval("FieldDateTime") %>' /> </td> <td> <asp:Label ID="FieldIntLabel" runat="server" Text='<%# Eval("FieldInt") %>' /> </td> <td> <asp:CheckBox ID="FieldBitCheckBox" runat="server" Checked='<%# Eval("FieldBit") %>' Enabled="false" /> </td> </tr> </AlternatingItemTemplate> <EditItemTemplate> <tr style="background-color:#008A8C;color: #FFFFFF;"> <td> <asp:Button ID="UpdateButton" runat="server" CommandName="Update" Text="更新" /> <asp:Button ID="CancelButton" runat="server" CommandName="Cancel" Text="取消" /> </td> <td> <asp:Label ID="idLabel1" runat="server" Text='<%# Eval("id") %>' /> </td> <td> <asp:TextBox ID="FieldTextTextBox" runat="server" Text='<%# Bind("FieldText") %>' /> </td> <td> <asp:TextBox ID="FieldDateTimeTextBox" runat="server" Text='<%# Bind("FieldDateTime") %>' /> </td> <td> <asp:TextBox ID="FieldIntTextBox" runat="server" Text='<%# Bind("FieldInt") %>' /> </td> <td> <asp:CheckBox ID="FieldBitCheckBox" runat="server" Checked='<%# Bind("FieldBit") %>' /> </td> </tr> </EditItemTemplate> <EmptyDataTemplate> <table runat="server" style="background-color: #FFFFFF;border-collapse: collapse;border-color: #999999;border-style:none;border-width:1px;"> <tr> <td>未傳回資料。</td> </tr> </table> </EmptyDataTemplate> <InsertItemTemplate> <tr style=""> <td> <asp:Button ID="InsertButton" runat="server" CommandName="Insert" Text="插入" /> <asp:Button ID="CancelButton" runat="server" CommandName="Cancel" Text="清除" /> </td> <td> </td> <td> <asp:TextBox ID="FieldTextTextBox" runat="server" Text='<%# Bind("FieldText") %>' /> </td> <td> <asp:TextBox ID="FieldDateTimeTextBox" runat="server" Text='<%# Bind("FieldDateTime") %>' /> </td> <td> <asp:TextBox ID="FieldIntTextBox" runat="server" Text='<%# Bind("FieldInt") %>' /> </td> <td> <asp:CheckBox ID="FieldBitCheckBox" runat="server" Checked='<%# Bind("FieldBit") %>' /> </td> </tr> </InsertItemTemplate> <ItemTemplate> <tr style="background-color:#DCDCDC;color: #000000;"> <td> <asp:Button ID="DeleteButton" runat="server" CommandName="Delete" Text="刪除" /> <asp:Button ID="EditButton" runat="server" CommandName="Edit" Text="編輯" /> </td> <td> <asp:Label ID="idLabel" runat="server" Text='<%# WebApplication6.Common.AntiXssEval(Eval("id")) %>' /> </td> <td> <asp:Label ID="FieldTextLabel" runat="server" Text='<%# WebApplication6.Common.HtmlSanitizerEval(Eval("FieldText")) %>' /> </td> <td> <asp:Label ID="FieldDateTimeLabel" runat="server" Text='<%# Eval("FieldDateTime") %>' /> </td> <td> <asp:Label ID="FieldIntLabel" runat="server" Text='<%# Eval("FieldInt") %>' /> </td> <td> <asp:CheckBox ID="FieldBitCheckBox" runat="server" Checked='<%# Eval("FieldBit") %>' Enabled="false" /> </td> </tr> </ItemTemplate> <LayoutTemplate> <table runat="server"> <tr runat="server"> <td runat="server"> <table id="itemPlaceholderContainer" runat="server" border="1" style="background-color: #FFFFFF;border-collapse: collapse;border-color: #999999;border-style:none;border-width:1px;font-family: Verdana, Arial, Helvetica, sans-serif;"> <tr runat="server" style="background-color:#DCDCDC;color: #000000;"> <th runat="server"></th> <th runat="server">id</th> <th runat="server">FieldText</th> <th runat="server">FieldDateTime</th> <th runat="server">FieldInt</th> <th runat="server">FieldBit</th> </tr> <tr id="itemPlaceholder" runat="server"> </tr> </table> </td> </tr> <tr runat="server"> <td runat="server" style="text-align: center;background-color: #CCCCCC;font-family: Verdana, Arial, Helvetica, sans-serif;color: #000000;"> <asp:DataPager ID="DataPager1" runat="server"> <Fields> <asp:NextPreviousPagerField ButtonType="Button" ShowFirstPageButton="True" ShowLastPageButton="True" /> </Fields> </asp:DataPager> </td> </tr> </table> </LayoutTemplate> <SelectedItemTemplate> <tr style="background-color:#008A8C;font-weight: bold;color: #FFFFFF;"> <td> <asp:Button ID="DeleteButton" runat="server" CommandName="Delete" Text="刪除" /> <asp:Button ID="EditButton" runat="server" CommandName="Edit" Text="編輯" /> </td> <td> <asp:Label ID="idLabel" runat="server" Text='<%# Eval("id") %>' /> </td> <td> <asp:Label ID="FieldTextLabel" runat="server" Text='<%# WebApplication6.Common.AntiXssEval(Eval("FieldText")) %>' /> </td> <td> <asp:Label ID="FieldDateTimeLabel" runat="server" Text='<%# WebApplication6.Common.HtmlSanitizerEval(Eval("FieldDateTime")) %>' /> </td> <td> <asp:Label ID="FieldIntLabel" runat="server" Text='<%# Eval("FieldInt") %>' /> </td> <td> <asp:CheckBox ID="FieldBitCheckBox" runat="server" Checked='<%# Eval("FieldBit") %>' Enabled="false" /> </td> </tr> </SelectedItemTemplate> </asp:ListView> </div> </form> </body> </html> |
Default.aspx.cs
using System; using System.Collections.Generic; using System.Linq; using System.Web; using System.Web.UI; using System.Web.UI.WebControls; using WebApplication6; namespace WebApplication6 { public partial class Default : System.Web.UI.Page { protected void Page_Load(object sender, EventArgs e) { } } } |
Common.cs
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
namespace WebApplication6
{
public class Common
{
static public string AntiXssEval(object object1)
{
return System.Web.Security.AntiXss.AntiXssEncoder.HtmlEncode((object1 == null ? "" : object1.ToString()), true);
}
static public string HtmlSanitizerEval(object object1)
{
return MyAntiXssFilter((object1 == null ? "" : object1.ToString()));
}
public static string MyAntiXssFilter(object inputObject)
{
string inputStr = "";
if (inputObject != null)
{
inputStr = inputObject.ToString();
}
var sanitizer = new Ganss.XSS.HtmlSanitizer();
sanitizer.AllowedAttributes.Add("class");
sanitizer.AllowedAttributes.Add("id");
var sanitized = sanitizer.Sanitize(inputStr);
return sanitized;
}
}
} |
結論:
一般文字、數字
<asp:Label ID="idLabel" runat="server" Text='<%# Eval("id") %>' />
改成
<asp:Label ID="idLabel" runat="server" Text='<%# WebApplication6.Common.AntiXssEval(Eval("id")) %>' />
注意,日期修改要連前面的 String.Format 都放入 AntiXssEval 中,否則顯示會包含 時分秒部分。
<asp:Label ID="myDateLabel" runat="server" Text='<%# String.Format("{0:MM/dd/yyyy}", Eval("myDate")) %>' />
改成
<asp:Label ID="myDateLabel" runat="server" Text='<%# WebApplication6.Common.AntiXssEval(String.Format("{0:MM/dd/yyyy}", Eval("myDate"))) %>' />
(完)