[研究][ASP.NET][C#][WebForm]Fortify SCA 報告 Eval()有 Cross-Site Scripting: Persistent解法
2020-10-20
2021-11-22 修訂
Eval() 有時候會被 Fortify SCA 報告有 Cross-Site Scripting: Persistent 問題,有時候又不會,敝人尚未弄清原因。
<asp:Label ID="Label2" runat="server" Text='<%# Eval("CaseTypeName") %>' />
只要參考這篇用 HtmlEncode 或 HtmlSanitizer 就可解決。
[研究]一些HtmlEncode、HtmlSanitizer與Fortify SCA的XSS (Cross-Site Scripting)檢測https://shaurong.blogspot.com/2021/11/htmlencodehtmlsanitizerfortify-scaxss.html
Default.aspx
<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="Default.aspx.cs" Inherits="WebApplication6.Default" %>
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<title></title>
</head>
<body>
<form id="form1" runat="server">
<div>
<asp:SqlDataSource ID="SqlDataSource1" runat="server" ConnectionString="<%$ ConnectionStrings:TestDBConnectionString %>" SelectCommand="SELECT * FROM [Table1]">
</asp:SqlDataSource>
<br />
<asp:ListView ID="ListView1" runat="server" DataKeyNames="id" DataSourceID="SqlDataSource1" InsertItemPosition="LastItem">
<AlternatingItemTemplate>
<tr style="background-color:#FFF8DC;">
<td>
<asp:Button ID="DeleteButton" runat="server" CommandName="Delete" Text="刪除" />
<asp:Button ID="EditButton" runat="server" CommandName="Edit" Text="編輯" />
</td>
<td>
<asp:Label ID="idLabel" runat="server" Text='<%# WebApplication6.Common.AntiXssEval(Eval("id")) %>' />
</td>
<td>
<asp:Label ID="FieldTextLabel" runat="server" Text='<%# WebApplication6.Common.HtmlSanitizerEval(Eval("FieldText")) %>' />
</td>
<td>
<asp:Label ID="FieldDateTimeLabel" runat="server" Text='<%# Eval("FieldDateTime") %>' />
</td>
<td>
<asp:Label ID="FieldIntLabel" runat="server" Text='<%# Eval("FieldInt") %>' />
</td>
<td>
<asp:CheckBox ID="FieldBitCheckBox" runat="server" Checked='<%# Eval("FieldBit") %>' Enabled="false" />
</td>
</tr>
</AlternatingItemTemplate>
<EditItemTemplate>
<tr style="background-color:#008A8C;color: #FFFFFF;">
<td>
<asp:Button ID="UpdateButton" runat="server" CommandName="Update" Text="更新" />
<asp:Button ID="CancelButton" runat="server" CommandName="Cancel" Text="取消" />
</td>
<td>
<asp:Label ID="idLabel1" runat="server" Text='<%# Eval("id") %>' />
</td>
<td>
<asp:TextBox ID="FieldTextTextBox" runat="server" Text='<%# Bind("FieldText") %>' />
</td>
<td>
<asp:TextBox ID="FieldDateTimeTextBox" runat="server" Text='<%# Bind("FieldDateTime") %>' />
</td>
<td>
<asp:TextBox ID="FieldIntTextBox" runat="server" Text='<%# Bind("FieldInt") %>' />
</td>
<td>
<asp:CheckBox ID="FieldBitCheckBox" runat="server" Checked='<%# Bind("FieldBit") %>' />
</td>
</tr>
</EditItemTemplate>
<EmptyDataTemplate>
<table runat="server" style="background-color: #FFFFFF;border-collapse: collapse;border-color: #999999;border-style:none;border-width:1px;">
<tr>
<td>未傳回資料。</td>
</tr>
</table>
</EmptyDataTemplate>
<InsertItemTemplate>
<tr style="">
<td>
<asp:Button ID="InsertButton" runat="server" CommandName="Insert" Text="插入" />
<asp:Button ID="CancelButton" runat="server" CommandName="Cancel" Text="清除" />
</td>
<td> </td>
<td>
<asp:TextBox ID="FieldTextTextBox" runat="server" Text='<%# Bind("FieldText") %>' />
</td>
<td>
<asp:TextBox ID="FieldDateTimeTextBox" runat="server" Text='<%# Bind("FieldDateTime") %>' />
</td>
<td>
<asp:TextBox ID="FieldIntTextBox" runat="server" Text='<%# Bind("FieldInt") %>' />
</td>
<td>
<asp:CheckBox ID="FieldBitCheckBox" runat="server" Checked='<%# Bind("FieldBit") %>' />
</td>
</tr>
</InsertItemTemplate>
<ItemTemplate>
<tr style="background-color:#DCDCDC;color: #000000;">
<td>
<asp:Button ID="DeleteButton" runat="server" CommandName="Delete" Text="刪除" />
<asp:Button ID="EditButton" runat="server" CommandName="Edit" Text="編輯" />
</td>
<td>
<asp:Label ID="idLabel" runat="server" Text='<%# WebApplication6.Common.AntiXssEval(Eval("id")) %>' />
</td>
<td>
<asp:Label ID="FieldTextLabel" runat="server" Text='<%# WebApplication6.Common.HtmlSanitizerEval(Eval("FieldText")) %>' />
</td>
<td>
<asp:Label ID="FieldDateTimeLabel" runat="server" Text='<%# Eval("FieldDateTime") %>' />
</td>
<td>
<asp:Label ID="FieldIntLabel" runat="server" Text='<%# Eval("FieldInt") %>' />
</td>
<td>
<asp:CheckBox ID="FieldBitCheckBox" runat="server" Checked='<%# Eval("FieldBit") %>' Enabled="false" />
</td>
</tr>
</ItemTemplate>
<LayoutTemplate>
<table runat="server">
<tr runat="server">
<td runat="server">
<table id="itemPlaceholderContainer" runat="server" border="1" style="background-color: #FFFFFF;border-collapse: collapse;border-color: #999999;border-style:none;border-width:1px;font-family: Verdana, Arial, Helvetica, sans-serif;">
<tr runat="server" style="background-color:#DCDCDC;color: #000000;">
<th runat="server"></th>
<th runat="server">id</th>
<th runat="server">FieldText</th>
<th runat="server">FieldDateTime</th>
<th runat="server">FieldInt</th>
<th runat="server">FieldBit</th>
</tr>
<tr id="itemPlaceholder" runat="server">
</tr>
</table>
</td>
</tr>
<tr runat="server">
<td runat="server" style="text-align: center;background-color: #CCCCCC;font-family: Verdana, Arial, Helvetica, sans-serif;color: #000000;">
<asp:DataPager ID="DataPager1" runat="server">
<Fields>
<asp:NextPreviousPagerField ButtonType="Button" ShowFirstPageButton="True" ShowLastPageButton="True" />
</Fields>
</asp:DataPager>
</td>
</tr>
</table>
</LayoutTemplate>
<SelectedItemTemplate>
<tr style="background-color:#008A8C;font-weight: bold;color: #FFFFFF;">
<td>
<asp:Button ID="DeleteButton" runat="server" CommandName="Delete" Text="刪除" />
<asp:Button ID="EditButton" runat="server" CommandName="Edit" Text="編輯" />
</td>
<td>
<asp:Label ID="idLabel" runat="server" Text='<%# Eval("id") %>' />
</td>
<td>
<asp:Label ID="FieldTextLabel" runat="server" Text='<%# WebApplication6.Common.AntiXssEval(Eval("FieldText")) %>' />
</td>
<td>
<asp:Label ID="FieldDateTimeLabel" runat="server" Text='<%# WebApplication6.Common.HtmlSanitizerEval(Eval("FieldDateTime")) %>' />
</td>
<td>
<asp:Label ID="FieldIntLabel" runat="server" Text='<%# Eval("FieldInt") %>' />
</td>
<td>
<asp:CheckBox ID="FieldBitCheckBox" runat="server" Checked='<%# Eval("FieldBit") %>' Enabled="false" />
</td>
</tr>
</SelectedItemTemplate>
</asp:ListView>
</div>
</form>
</body>
</html>
|
Default.aspx.cs
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using WebApplication6;
namespace WebApplication6
{
public partial class Default : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
}
}
} |
Common.cs
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
namespace WebApplication6
{
public class Common
{
static public string AntiXssEval(object object1)
{
return System.Web.Security.AntiXss.AntiXssEncoder.HtmlEncode((object1 == null ? "" : object1.ToString()), true);
}
static public string HtmlSanitizerEval(object object1)
{
return MyAntiXssFilter((object1 == null ? "" : object1.ToString()));
}
public static string MyAntiXssFilter(object inputObject)
{
string inputStr = "";
if (inputObject != null)
{
inputStr = inputObject.ToString();
}
var sanitizer = new Ganss.XSS.HtmlSanitizer();
sanitizer.AllowedAttributes.Add("class");
sanitizer.AllowedAttributes.Add("id");
var sanitized = sanitizer.Sanitize(inputStr);
return sanitized;
}
}
} |
結論:
一般文字、數字
<asp:Label ID="idLabel" runat="server" Text='<%# Eval("id") %>' />
改成
<asp:Label ID="idLabel" runat="server" Text='<%# WebApplication6.Common.AntiXssEval(Eval("id")) %>' />
注意,日期修改要連前面的 String.Format 都放入 AntiXssEval 中,否則顯示會包含 時分秒部分。
<asp:Label ID="myDateLabel" runat="server" Text='<%# String.Format("{0:MM/dd/yyyy}", Eval("myDate")) %>' />
改成
<asp:Label ID="myDateLabel" runat="server" Text='<%# WebApplication6.Common.AntiXssEval(String.Format("{0:MM/dd/yyyy}", Eval("myDate"))) %>' />
(完)
沒有留言:
張貼留言